Policy shadows

Identifies pairs of policies whose (SCIM group, segment) coverage sets intersect. A pair is a shadow when both policies share the same action, and a conflict when actions differ.

Endpoint

GET /api/v1/analytics/policy-shadows

Response

type PolicyShadowReport struct {
    PolicyA          PolicySummary
    PolicyB          PolicySummary
    SharedScimGroups []NamedRef
    SharedSegments   []NamedRef
    Verdict          string         // "shadow" or "conflict"
}

type PolicySummary struct {
    ID       string
    Name     string
    Action   string  // ALLOW | DENY | DEFAULT_DENY
    Priority int
}

The pair (PolicyA, PolicyB) is unordered — IDs are sorted lexically to keep the output stable. The report list itself is sorted by PolicyA.Priority descending so the highest-priority rules surface first. Evaluation order between the two is determined by their Priority values (higher = earlier).

Verdict semantics

`PolicyA.Action`	`PolicyB.Action`	Verdict
`ALLOW`	`ALLOW`	shadow
`DENY`	`DENY`	shadow
`ALLOW`	`DENY`	conflict
`DENY`	`ALLOW`	conflict

Algorithm

For each policy, build the set of (scimGroupID, segmentID) pairs it covers.
Compare every pair of policies. If their pair-sets intersect, emit a report.

Comparison is quadratic in policy count. At 500 policies this is 125,000 comparisons, executed per request.

Use cases

Cleanup of redundant rules where a shadow exists.
Audit of conflicting rules where two policies disagree on the action for the same (SCIM group, segment) pair.
Refactor planning when many overlaps cluster around a small set of SCIM groups or segment groups.