======================================================================
🚀 Healthcare Cedar Policies — Test Suite
   Each use case tested in isolation (only its policies deployed).
======================================================================
   Gateway: healthcare-fhir-gateway-y192aidrp5
   URL:     https://healthcare-fhir-gateway-y192aidrp5.gateway.bedrock-agentcore.us-east-1.amazonaws.com/mcp

======================================================================
🆔 USE CASE 1: Identity-Based Access
   Patients can only read their own records.
======================================================================
   🗑️  Cleared 6 existing policies

📋 Policy 1: Identity-Based Access
   ✅ IdentityGetPatient: IdentityGetPatient-hekgjq5dpt
   ✅ IdentitySearchImmunization: IdentitySearchImmunization-sfyciwxl2d

🔄 Switching Cognito claims → role=patient, sub=adult-patient-001
   ✅ Claims updated — waiting 5s ...

   JWT: role=patient, patient_id=adult-patient-001

   📋 ✅ Positive use case: patient reads OWN record
      Prompt: Get patient information for patient ID adult-patient-001
      Available tools: ['Target1___getPatient', 'Target1___searchImmunization']

Tool #1: Target1___getPatient
Here is the patient information for patient ID **adult-patient-001**:

**Patient Details:**
- **Name:** Richard Doe
- **Patient ID:** adult-patient-001
- **Gender:** Male
- **Date of Birth:** July 10, 1985
- **Active Status:** Yes
- **Address:** 123 Maple Street, Springfield, IL 62701, USA
- **Last Updated:** February 26, 2026 at 23:48:44 UTC

The patient record is currently active and up to date.      Result: Here is the patient information for patient ID **adult-patient-001**:

**Patient Details:**
- **Name:** Richard Doe
- **Patient ID:** adult-patient-001
- **Gender:** Male
- **Date of Birth:** July 10,...

   📋 ❌ Negative use case: patient reads OTHER patient's record
      Prompt: Get patient information for patient ID pediatric-patient-001
      Available tools: ['Target1___getPatient', 'Target1___searchImmunization']

Tool #1: Target1___getPatient
I apologize, but I was unable to retrieve the patient information for patient ID **pediatric-patient-001**. The request was denied due to policy enforcement restrictions. 

This could be due to:
- Access control policies that restrict who can view patient information
- Privacy and security policies that require additional authentication or authorization
- System-level restrictions on data access

Please contact your system administrator or check if you have the appropriate permissions to access this patient's information.      Result: I apologize, but I was unable to retrieve the patient information for patient ID **pediatric-patient-001**. The request was denied due to policy enforcement restrictions. 

This could be due to:
- Acc...

======================================================================
🔑 USE CASE 2: Scope-Based Read/Write Separation
   OAuth scopes gate read vs write tools.
   Testing as 'scheduler' role (no forbid interference).
======================================================================
   🗑️  Cleared 2 existing policies

📋 Policy 2: Scope-Based Read/Write Separation
   ✅ ScopeReadTools: ScopeReadTools-v0b4yfjpx5
   ✅ ScopeWriteTools: ScopeWriteTools-4x8c72yr9n

🔄 Switching Cognito claims → role=scheduler, sub=scheduler-001
   ✅ Claims updated — waiting 5s ...

📝 Setting up Cognito scopes ...
   ✅ Scopes already configured

   Token with read-only scope: default-m2m-resource-server-d9a3dfe0/healthcare.read

   📋 ✅ Positive use case: read scope → getSlots succeeds
      Prompt: Check available appointment slots for 2025-09-15
      Available tools: ['Target1___getPatient', 'Target1___getSlots', 'Target1___searchImmunization']

Tool #1: Target1___getSlots
Great! I found available appointment slots for the requested date. Here are the details:

**Doctor Information:**
- **Name:** Dr. Danna372 Russel238
- **NPI:** 9999999779
- **Email:** Danna372.Russel238@example.com
- **Address:** 275 SANDWICH STREET, PLYMOUTH, MA 02360
- **Gender:** Female

**Available Appointment Slots:**
- September 14, 2025 at 4:00 PM
- **September 15, 2025 at 2:00 PM** ✓ (Your requested date)
- September 17, 2025 at 2:00 PM

There is one available slot on your requested date (September 15, 2025) at 2:00 PM. Would you like to book this appointment or would you prefer one of the other available times?      Result: Great! I found available appointment slots for the requested date. Here are the details:

**Doctor Information:**
- **Name:** Dr. Danna372 Russel238
- **NPI:** 9999999779
- **Email:** Danna372.Russel2...

   📋 ❌ Negative use case: read scope → bookAppointment denied
      Available tools: ['Target1___getPatient', 'Target1___getSlots', 'Target1___searchImmunization']
      ✅ bookAppointment is HIDDEN — read scope does not grant write access

   Token with read+write scope

   📋 ✅ Positive use case: read+write scope → bookAppointment succeeds
      Prompt: Book an appointment for patient adult-patient-001 on 2025-09-15 at 14:00
      Available tools: ['Target1___bookAppointment', 'Target1___getPatient', 'Target1___getSlots', 'Target1___searchImmunization']

Tool #1: Target1___bookAppointment
Perfect! I've successfully booked an appointment for patient adult-patient-001 on September 15, 2025 at 14:00 (2:00 PM).

**Appointment Details:**
- **Patient ID:** adult-patient-001
- **Date & Time:** 2025-09-15 at 14:00
- **Confirmation Number:** 17344

The appointment has been confirmed. Please keep the confirmation number for your records.      Result: Perfect! I've successfully booked an appointment for patient adult-patient-001 on September 15, 2025 at 14:00 (2:00 PM).

**Appointment Details:**
- **Patient ID:** adult-patient-001
- **Date & Time:*...

======================================================================
⏰ USE CASE 3: Time-Based Access — Clinic Hours
   getSlots restricted to 9 AM – 9 PM UTC.
   Uses context.system.now (gateway system clock).
======================================================================
   🗑️  Cleared 2 existing policies

📋 Use Case 3: Time-Based Access — Clinic Hours
   ✅ ClinicHoursGetSlots: ClinicHoursGetSlots-us8_ekt31h

   Current time: 08:28 UTC
   Clinic window: 9:00 – 21:00 UTC → CLOSED

🔄 Switching Cognito claims → role=patient, sub=adult-patient-001
   ✅ Claims updated — waiting 5s ...

   📋 ❌ Negative use case: clinic CLOSED (8:00 UTC) → getSlots denied
      Prompt: Check available appointment slots for 2025-09-15
      Available tools: ['Target1___getSlots']

Tool #1: Target1___getSlots
I apologize, but I'm unable to retrieve the available appointment slots for 2025-09-15 at this time. The system has denied access to this information due to policy enforcement.

This could be due to:
- Missing patient identification information
- Access restrictions on the appointment system
- Policy limitations on viewing future appointments

To proceed, please provide:
- Your **patient ID** (if you haven't already)
- Any additional information that might be required for authorization

Once you provide these details, I'll be able to check the available slots for you.      Result: I apologize, but I'm unable to retrieve the available appointment slots for 2025-09-15 at this time. The system has denied access to this information due to policy enforcement.

This could be due to:
...

======================================================================
🚫 USE CASE 4: Forbid Rules — Before/After
   BEFORE: scope policies allow patient booking.
   AFTER:  adding forbid rule blocks it.
======================================================================
   🗑️  Cleared 1 existing policies

📋 Policy 2: Scope-Based Read/Write Separation
   ✅ ScopeReadTools: ScopeReadTools-7kg4y3rp1l
   ✅ ScopeWriteTools: ScopeWriteTools-ga_s5idm7b

🔄 Switching Cognito claims → role=patient, sub=adult-patient-001
   ✅ Claims updated — waiting 5s ...

   📋 ✅ BEFORE (scope only): patient with write scope CAN book
      Prompt: Book an appointment for patient adult-patient-001 on 2025-09-15 at 10:00
      Available tools: ['Target1___bookAppointment', 'Target1___getPatient', 'Target1___getSlots', 'Target1___searchImmunization']

Tool #1: Target1___bookAppointment
Perfect! I've successfully booked an appointment for patient adult-patient-001 on **2025-09-15 at 10:00**. 

**Confirmation Details:**
- **Confirmation Number:** 16289
- **Date & Time:** September 15, 2025 at 10:00 AM

The appointment has been confirmed and the patient can use the confirmation number for reference.      Result: Perfect! I've successfully booked an appointment for patient adult-patient-001 on **2025-09-15 at 10:00**. 

**Confirmation Details:**
- **Confirmation Number:** 16289
- **Date & Time:** September 15,...

   📝 Adding forbid rule ...

📋 Policy 4: Forbid Rules — Hard Boundaries
   ✅ ForbidPatientBooking: ForbidPatientBooking-2znbcfa1s0

   📋 AFTER (scope + forbid): checking tool visibility ...
      Available tools: ['Target1___getPatient', 'Target1___getSlots', 'Target1___searchImmunization']
      ✅ bookAppointment is HIDDEN — forbid overrides permit

🔄 Restoring full policy set ...
   🗑️  Cleared 3 existing policies

📋 Policy 1: Identity-Based Access
   ✅ IdentityGetPatient: IdentityGetPatient-c27ni3p9jz
   ✅ IdentitySearchImmunization: IdentitySearchImmunization-4_bsa23190

📋 Policy 2: Scope-Based Read/Write Separation
   ✅ ScopeReadTools: ScopeReadTools-wdu8re5pyq
   ✅ ScopeWriteTools: ScopeWriteTools-_tzgajv64l

📋 Use Case 3: Time-Based Access — Clinic Hours
   ✅ ClinicHoursGetSlots: ClinicHoursGetSlots-kwjp2dys1o

📋 Policy 4: Forbid Rules — Hard Boundaries
   ✅ ForbidPatientBooking: ForbidPatientBooking-36byh_4pmt

🔄 Switching Cognito claims → role=patient, sub=adult-patient-001
   ✅ Claims updated — waiting 5s ...
   ✅ All policies restored

======================================================================
📊 RESULTS SUMMARY
======================================================================

   🆔 Use Case 1: Identity-Based
     Positive (own record):    ✅ Allowed
     Negative (other patient): ❌ Denied

   🔑 Use Case 2: Scope-Based R/W
     Positive (read → slots):  ✅ Allowed
     Negative (read → book):   ❌ Denied
     Positive (R+W → book):    ✅ Allowed

   ⏰ Use Case 3: Time-Based
     getSlots (8:00 UTC):     ❌ Denied

   🚫 Use Case 4: Forbid (Before/After)
     BEFORE (scope only):      ✅ Allowed
     AFTER (scope + forbid):   ❌ Denied

   ✅ Core policies: ALL MATCH

🔒 Policy enforcement verified:
   • Identity scoping prevents cross-patient access
   • Scope-based R/W gates read vs write tools
   • Time-based policy uses gateway system clock
   • Forbid rule overrides permit (before/after confirmed)
======================================================================
