fix(ffi): eliminate aliasing UB + add Azure Policy JSON compilation FFI

bindings/csharp/Directory.Packages.props

@@ -1,7 +1,7 @@
 <Project>
   <PropertyGroup>
     <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
-    <RegorusPackageVersion>0.10.0</RegorusPackageVersion>
+    <RegorusPackageVersion>0.10.1</RegorusPackageVersion>
     <RegorusPackageVersionSuffix Condition="'$(VersionSuffix)' != ''">-$(VersionSuffix)</RegorusPackageVersionSuffix>
   </PropertyGroup>
 

bindings/csharp/README.md

@@ -150,3 +150,76 @@ const string ContextJson = """
 var allowed = RbacEngine.EvaluateCondition(Condition, ContextJson);
 Console.WriteLine($"RBAC condition allowed: {allowed}");
 ```
+
+## Azure Policy JSON Evaluation
+
+Compile and evaluate Azure Policy JSON `policyRule` definitions directly — no Rego translation required.
+The `AzurePolicyCompiler` compiles JSON policy rules into RVM programs that can be executed with the `Rvm` engine.
+
+```csharp
+using Regorus;
+
+// 1. Load alias definitions for the resource provider
+const string AliasesJson = """
+[{
+    "namespace": "Microsoft.Storage",
+    "resourceTypes": [{
+        "resourceType": "storageAccounts",
+        "aliases": [{
+            "name": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
+            "defaultPath": "properties.supportsHttpsTrafficOnly",
+            "paths": []
+        }]
+    }]
+}]
+""";
+
+using var registry = AliasRegistry.FromJson(AliasesJson);
+
+// 2. Compile a JSON policy rule (the native Azure Policy language)
+const string PolicyRule = """
+{
+    "if": {
+        "allOf": [
+            { "field": "type", "equals": "Microsoft.Storage/storageAccounts" },
+            { "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", "equals": false }
+        ]
+    },
+    "then": { "effect": "deny" }
+}
+""";
+
+using var program = AzurePolicyCompiler.CompilePolicyRule(registry, PolicyRule);
+
+// 3. Normalize an ARM resource and evaluate
+var armResource = """
+{
+    "type": "Microsoft.Storage/storageAccounts",
+    "name": "mystorage",
+    "properties": { "supportsHttpsTrafficOnly": false }
+}
+""";
+var envelope = registry.NormalizeAndWrap(armResource);
+
+using var vm = new Rvm();
+vm.LoadProgram(program);
+vm.SetInputJson(envelope!);
+
+var result = vm.ExecuteEntryPoint("main");
+// result: {"effect": "deny"} for non-compliant, "<undefined>" for compliant
+Console.WriteLine($"Policy result: {result}");
+```
+
+**Context-dependent policies:** If your policy uses context functions like
+`subscription()`, `resourceGroup()`, or `requestContext()`, you must also set
+the VM context separately:
+
+```csharp
+// The context JSON from NormalizeAndWrap is in the input envelope,
+// but must also be provided to the VM's ambient context:
+vm.SetContextJson(contextJson);
+```
+
+You can also compile full policy definitions (with parameters) using
+`AzurePolicyCompiler.CompilePolicyDefinition()`. See
+`bindings/csharp/Regorus.Tests/AzurePolicyCompilerTests.cs` for comprehensive examples.

bindings/csharp/Regorus.Tests/AliasRegistryTests.cs

@@ -43,31 +43,28 @@ public class AliasRegistryTests
     [TestMethod]
     public void Create_and_dispose_succeeds()
     {
-        using var registry = new AliasRegistry();
+        using var registry = AliasRegistry.Empty();
         Assert.AreEqual(0, registry.Length);
     }
 
     [TestMethod]
     public void LoadJson_populates_registry()
     {
-        using var registry = new AliasRegistry();
-        registry.LoadJson(AliasesJson);
+        using var registry = AliasRegistry.FromJson(AliasesJson);
         Assert.AreEqual(1, registry.Length);
     }
 
     [TestMethod]
     public void LoadManifest_populates_registry()
     {
-        using var registry = new AliasRegistry();
-        registry.LoadManifest(ManifestJson);
+        using var registry = AliasRegistry.FromManifest(ManifestJson);
         Assert.AreEqual(1, registry.Length);
     }
 
     [TestMethod]
     public void NormalizeAndWrap_produces_envelope()
     {
-        using var registry = new AliasRegistry();
-        registry.LoadJson(AliasesJson);
+        using var registry = AliasRegistry.FromJson(AliasesJson);
 
         var resource = @"{
             ""name"": ""acct1"",
@@ -93,8 +90,7 @@ public void NormalizeAndWrap_produces_envelope()
     [TestMethod]
     public void NormalizeAndWrap_with_context_and_parameters()
     {
-        using var registry = new AliasRegistry();
-        registry.LoadJson(AliasesJson);
+        using var registry = AliasRegistry.FromJson(AliasesJson);
 
         var resource = @"{
             ""name"": ""acct1"",
@@ -115,8 +111,7 @@ public void NormalizeAndWrap_with_context_and_parameters()
     [TestMethod]
     public void Denormalize_restores_properties()
     {
-        using var registry = new AliasRegistry();
-        registry.LoadJson(AliasesJson);
+        using var registry = AliasRegistry.FromJson(AliasesJson);
 
         var normalized = @"{
             ""name"": ""acct1"",
@@ -137,8 +132,7 @@ public void Denormalize_restores_properties()
     [TestMethod]
     public void Round_trip_normalize_then_denormalize()
     {
-        using var registry = new AliasRegistry();
-        registry.LoadJson(AliasesJson);
+        using var registry = AliasRegistry.FromJson(AliasesJson);
 
         var resource = @"{
             ""name"": ""acct1"",
@@ -166,8 +160,7 @@ public void Round_trip_normalize_then_denormalize()
     [TestMethod]
     public void DataPlane_manifest_normalize()
     {
-        using var registry = new AliasRegistry();
-        registry.LoadManifest(ManifestJson);
+        using var registry = AliasRegistry.FromManifest(ManifestJson);
 
         var resource = @"{
             ""type"": ""Microsoft.KeyVault.Data/vaults/certificates"",
@@ -185,7 +178,7 @@ public void DataPlane_manifest_normalize()
     [ExpectedException(typeof(InvalidOperationException))]
     public void LoadJson_invalid_throws()
     {
-        using var registry = new AliasRegistry();
-        registry.LoadJson("not valid json");
+        using var builder = new AliasRegistryBuilder();
+        builder.LoadJson("not valid json");
     }
 }