Classifies a token into its AST node type based on position.

Returns an ast/ASTNode with the appropriate type: - ::ast/doc-accessor for document accessors - ::ast/uri for URI accessors - ::ast/thunk for thunkable forms - ::ast/literal for all other values

Returns true if k is a document accessor keyword.

Document accessors are namespaced keywords with namespace "doc", such as :doc/actor-role.

Extracts all document accessor keys from a policy ast.

Returns a set of document accessor keywords without the :doc/ namespace.

Parses a policy DSL expression expr into an AST with Either monad error handling.

The DSL supports: - Document accessors: :doc/key-name - URI accessors: :uri/uri - Function calls: [:fn-name arg1 arg2 ...] - Literals: strings, numbers, keywords, etc. - Thunks: Clojure vars and function calls wrapped for delayed evaluation

Takes an optional position vector [start end] for tracking location (defaults to [0 0]).

Returns Either[error-map, ASTNode] - Right with AST on success, Left with error on failure.

Returns true if form should be wrapped in a thunk for delayed evaluation.

Vars and non-empty lists (function calls) should be thunked.

Returns true if k is a URI accessor keyword.

URI accessors are namespaced keywords with namespace "uri", such as :uri/resource.

Returns true if v is a valid function name for the policy DSL.

Valid function names are keywords or symbols.