From 97a87861aaba9cd9fe57b0035bbdde81ce3ed38f Mon Sep 17 00:00:00 2001
From: andrewclymer <andy@rocksolidknowledge.com>
Date: Fri, 10 Apr 2026 14:33:28 +0100
Subject: [PATCH 1/5] AuthZen Example using Enforcer

---
 .../.idea/.gitignore                          |  15 ++
 .../.idea/copilot.data.migration.agent.xml    |   6 +
 .../.idea/copilot.data.migration.ask.xml      |   6 +
 .../copilot.data.migration.ask2agent.xml      |   6 +
 .../.idea/copilot.data.migration.edit.xml     |   6 +
 .../.idea/encodings.xml                       |   4 +
 .../.idea/indexLayout.xml                     |   8 +
 .../.idea.PolicyDrivenExpenses/.idea/vcs.xml  |   7 +
 .../AuthZenPolicyServer.csproj                |  24 +++
 .../AuthZenPolicyServer/Pages/Home.cshtml     |  27 ++++
 .../AuthZenPolicyServer/Pages/Home.cshtml.cs  |  59 +++++++
 .../Pages/_ViewImports.cshtml                 |   2 +
 .../Policies/expenses.alfa                    | 102 ++++++++++++
 .../AuthZenPolicyServer/Policies/global.alfa  |   9 ++
 .../AuthZenPolicyServer/Program.cs            |  39 +++++
 .../Properties/launchSettings.json            |  23 +++
 .../SubjectAttributeProvider.cs               |  33 ++++
 .../appsettings.Development.json              |   8 +
 .../AuthZenPolicyServer/appsettings.json      |   9 ++
 .../PolicyDrivenExpenses.sln                  |  22 +++
 .../PolicyDrivenExpenses.sln.DotSettings.user |  16 ++
 .../WebApp/ApplicationDbContext.cs            |  11 ++
 .../AllowAllAuthorizeExpenseClaimActions.cs   |  34 ++++
 .../AuthZenAuthorizeExpenseClaimActions.cs    | 108 +++++++++++++
 .../WebApp/Authorization/AuthorizeResult.cs   |  14 ++
 .../DenyAllAuthorizeExpenseClaimActions.cs    |  35 +++++
 .../IAuthorizeExpenseClaimActions.cs          |  13 ++
 .../WebApp/Domain/IExpenseClaimService.cs     |  22 +++
 .../WebApp/Domain/IExpenseClaimSubmission.cs  |  21 +++
 .../Domain/IGenerateAccessDeniedContent.cs    |  33 ++++
 .../WebApp/Domain/IManagerLookupService.cs    |   6 +
 .../Domain/InMemoryExpenseClaimService.cs     | 147 +++++++++++++++++
 .../Domain/InMemoryManagerLookupService.cs    |  40 +++++
 .../WebApp/Pages/AccessDenied.cshtml          |  24 +++
 .../WebApp/Pages/AccessDenied.cshtml.cs       |  17 ++
 .../WebApp/Pages/Account/Login.cshtml         |  47 ++++++
 .../WebApp/Pages/Account/Login.cshtml.cs      |  59 +++++++
 .../WebApp/Pages/Account/Logout.cshtml        |  19 +++
 .../WebApp/Pages/Account/Logout.cshtml.cs     |  16 ++
 .../WebApp/Pages/Expenses/Approve.cshtml      |  72 +++++++++
 .../WebApp/Pages/Expenses/Approve.cshtml.cs   | 122 +++++++++++++++
 .../WebApp/Pages/Expenses/Create.cshtml       | 108 +++++++++++++
 .../WebApp/Pages/Expenses/Create.cshtml.cs    | 148 ++++++++++++++++++
 .../WebApp/Pages/Home.cshtml                  |  45 ++++++
 .../WebApp/Pages/Home.cshtml.cs               |  10 ++
 .../WebApp/Pages/Shared/_Layout.cshtml        |  84 ++++++++++
 .../Shared/_ValidationScriptsPartial.cshtml   |   4 +
 .../WebApp/Pages/_Layout.cshtml               |   2 +
 .../WebApp/Pages/_ViewImports.cshtml          |   4 +
 .../WebApp/Pages/_ViewStart.cshtml            |   3 +
 .../PolicyDrivenExpenses/WebApp/Program.cs    | 102 ++++++++++++
 .../WebApp/Properties/launchSettings.json     |  23 +++
 .../PolicyDrivenExpenses/WebApp/README.md     |  23 +++
 .../PolicyDrivenExpenses/WebApp/WebApp.csproj |  15 ++
 .../WebApp/appsettings.Development.json       |   8 +
 .../WebApp/appsettings.json                   |   9 ++
 56 files changed, 1879 insertions(+)
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/.gitignore
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.agent.xml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.ask.xml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.ask2agent.xml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.edit.xml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/encodings.xml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/indexLayout.xml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/vcs.xml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/AuthZenPolicyServer.csproj
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Pages/Home.cshtml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Pages/Home.cshtml.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Pages/_ViewImports.cshtml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Policies/expenses.alfa
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Policies/global.alfa
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Program.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Properties/launchSettings.json
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/SubjectAttributeProvider.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/appsettings.Development.json
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/appsettings.json
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/PolicyDrivenExpenses.sln
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/PolicyDrivenExpenses.sln.DotSettings.user
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/ApplicationDbContext.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/AllowAllAuthorizeExpenseClaimActions.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/AuthZenAuthorizeExpenseClaimActions.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/AuthorizeResult.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/DenyAllAuthorizeExpenseClaimActions.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/IAuthorizeExpenseClaimActions.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/IExpenseClaimService.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/IExpenseClaimSubmission.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/IGenerateAccessDeniedContent.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/IManagerLookupService.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/InMemoryExpenseClaimService.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/InMemoryManagerLookupService.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/AccessDenied.cshtml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/AccessDenied.cshtml.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Account/Login.cshtml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Account/Login.cshtml.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Account/Logout.cshtml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Account/Logout.cshtml.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Expenses/Approve.cshtml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Expenses/Approve.cshtml.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Expenses/Create.cshtml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Expenses/Create.cshtml.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Home.cshtml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Home.cshtml.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Shared/_Layout.cshtml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Shared/_ValidationScriptsPartial.cshtml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/_Layout.cshtml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/_ViewImports.cshtml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/_ViewStart.cshtml
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Program.cs
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/Properties/launchSettings.json
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/README.md
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/WebApp.csproj
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/appsettings.Development.json
 create mode 100644 Samples/CSharp/PolicyDrivenExpenses/WebApp/appsettings.json

diff --git a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/.gitignore b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/.gitignore
new file mode 100644
index 0000000..a3db6dc
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/.gitignore
@@ -0,0 +1,15 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Rider ignored files
+/.idea.AuthZenExample.iml
+/modules.xml
+/projectSettingsUpdater.xml
+/contentModel.xml
+# Ignored default folder with query files
+/queries/
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml
+# Editor-based HTTP Client requests
+/httpRequests/
diff --git a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.agent.xml b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.agent.xml
new file mode 100644
index 0000000..4ea72a9
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.agent.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="AgentMigrationStateService">
+    <option name="migrationStatus" value="COMPLETED" />
+  </component>
+</project>
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.ask.xml b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.ask.xml
new file mode 100644
index 0000000..7ef04e2
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.ask.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="AskMigrationStateService">
+    <option name="migrationStatus" value="COMPLETED" />
+  </component>
+</project>
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.ask2agent.xml b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.ask2agent.xml
new file mode 100644
index 0000000..1f2ea11
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.ask2agent.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="Ask2AgentMigrationStateService">
+    <option name="migrationStatus" value="COMPLETED" />
+  </component>
+</project>
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.edit.xml b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.edit.xml
new file mode 100644
index 0000000..8648f94
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.edit.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="EditMigrationStateService">
+    <option name="migrationStatus" value="COMPLETED" />
+  </component>
+</project>
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/encodings.xml b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/encodings.xml
new file mode 100644
index 0000000..df87cf9
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/encodings.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="Encoding" addBOMForNewFiles="with BOM under Windows, with no BOM otherwise" />
+</project>
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/indexLayout.xml b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/indexLayout.xml
new file mode 100644
index 0000000..7b08163
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/indexLayout.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="UserContentModel">
+    <attachedFolders />
+    <explicitIncludes />
+    <explicitExcludes />
+  </component>
+</project>
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/vcs.xml b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/vcs.xml
new file mode 100644
index 0000000..ba43f69
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/vcs.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$/../../.." vcs="Git" />
+    <mapping directory="$PROJECT_DIR$" vcs="Git" />
+  </component>
+</project>
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/AuthZenPolicyServer.csproj b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/AuthZenPolicyServer.csproj
new file mode 100644
index 0000000..92cfa97
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/AuthZenPolicyServer.csproj
@@ -0,0 +1,24 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <Nullable>enable</Nullable>
+        <ImplicitUsings>enable</ImplicitUsings>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <PackageReference Include="Rsk.Enforcer.AuthZen" Version="6.1.1"/>
+    </ItemGroup>
+
+    <ItemGroup>
+      <None Remove="Policies\global.alfa" />
+      <EmbeddedResource Include="Policies\global.alfa" />
+      <None Remove="Policies\expenses.alfa" />
+      <EmbeddedResource Include="Policies\expenses.alfa" />
+    </ItemGroup>
+
+    <ItemGroup>
+      <Reference Include="Microsoft.AspNetCore">
+        <HintPath>..\..\..\..\..\usr\local\share\dotnet\shared\Microsoft.AspNetCore.App\10.0.3\Microsoft.AspNetCore.dll</HintPath>
+      </Reference>
+    </ItemGroup>
+</Project>
diff --git a/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Pages/Home.cshtml b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Pages/Home.cshtml
new file mode 100644
index 0000000..812f566
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Pages/Home.cshtml
@@ -0,0 +1,27 @@
+@page
+@model AuthZenPolicyServer.Pages.HomeModel
+@{
+    ViewData["Title"] = "Home";
+}
+
+<style>
+.alfa-keyword { color: #005cc5; font-weight: bold; }
+.alfa-literal { color: #032f62; }
+.alfa-number { color: #22863a; }
+.alfa-comment { color: #6a737d; font-style: italic; }
+.alfa-brace { color: #d73a49; font-weight: bold; }
+</style>
+
+<div class="container mt-5">
+    <h1 class="mb-4">Welcome to the AuthZen Policy Server</h1>
+    <p>This server is responsible for serving and managing the expense claim authorization decisions.</p>
+    @foreach (var policy in Model.PolicyFiles)
+    {
+        <h3 class="mt-5">Policy: <span class="text-primary">@policy.Name</span></h3>
+        <div class="card bg-light border-primary mt-3 mb-5">
+            <div class="card-body">
+                <pre class="mb-0 text-dark" style="white-space: pre-wrap; background: #f8f9fa; border-left: 5px solid #0d6efd; padding: 1em;"><code>@Html.Raw(Model.PolicyHtml(policy.Content))</code></pre>
+            </div>
+        </div>
+    }
+</div>
diff --git a/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Pages/Home.cshtml.cs b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Pages/Home.cshtml.cs
new file mode 100644
index 0000000..4d1b285
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Pages/Home.cshtml.cs
@@ -0,0 +1,59 @@
+using Microsoft.AspNetCore.Html;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+using System.Text.RegularExpressions;
+using System.Reflection;
+
+namespace AuthZenPolicyServer.Pages
+{
+    public class HomeModel : PageModel
+    {
+        public string PolicyText { get; set; } = string.Empty;
+        public List<(string Name, string Content)> PolicyFiles { get; set; } = new();
+
+        public void OnGet()
+        {
+            var assembly = Assembly.GetExecutingAssembly();
+            var resources = assembly.GetManifestResourceNames()
+                .Where(r => r.Contains(".Policies.") && r.EndsWith(".alfa"));
+            foreach (var resource in resources)
+            {
+                using var stream = assembly.GetManifestResourceStream(resource);
+                using var reader = new StreamReader(stream!);
+                var content = reader.ReadToEnd();
+                var name = resource.Substring(resource.LastIndexOf(".Policies.") + 10);
+                PolicyFiles.Add((name, content));
+            }
+        }
+
+        public static string ColorizePolicy(string policy)
+        {
+            // Colorize comments first
+            string result = Regex.Replace(policy, "//.*", "<span class='alfa-comment'>$0</span>", RegexOptions.None, TimeSpan.FromSeconds(1));
+            // Colorize strings
+            result = Regex.Replace(result, "\"([^\"]*)\"", "<span class='alfa-literal'>\"$1\"</span>", RegexOptions.None, TimeSpan.FromSeconds(1));
+            // Keywords
+            string[] keywords = new[] { "namespace", "import", "attribute", "policyset", "policy", "apply", "firstApplicable", "denyUnlessPermit", "permitUnlessDeny", "target", "clause", "rule", "condition", "permit", "deny", "on", "advice" , "money" , "int" , "double" , "time" , "obligation" , "string" , "date" , "let"};
+            foreach (var keyword in keywords)
+            {
+                result = Regex.Replace(result, $@"\b{keyword}\b", $"<span class='alfa-keyword'>{keyword}</span>", RegexOptions.None, TimeSpan.FromSeconds(1));
+            }
+            // Numbers
+            result = Regex.Replace(result, "(?<=\\s|^)([0-9]+(\\.[0-9]+)?)(?=\\s|$)", "<span class='alfa-number'>$1</span>", RegexOptions.None, TimeSpan.FromSeconds(1));
+            // Braces
+            result = result.Replace("{", "<span class='alfa-brace'>{</span>");
+            result = result.Replace("}", "<span class='alfa-brace'>}</span>");
+            // HTML encode everything except our tags
+            result = Regex.Replace(result, "(<[^>]+>|[^<]+)", match =>
+            {
+                if (match.Value.StartsWith("<"))
+                    return match.Value; // leave tags alone
+                return System.Net.WebUtility.HtmlEncode(match.Value);
+            });
+            // Fix double-encoding of quotes inside attributes
+            result = result.Replace("&#39;", "'").Replace("&quot;", "\"");
+            return result;
+        }
+
+        public HtmlString PolicyHtml(string policy) => new HtmlString(ColorizePolicy(policy));
+    }
+}
diff --git a/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Pages/_ViewImports.cshtml b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Pages/_ViewImports.cshtml
new file mode 100644
index 0000000..e631058
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Pages/_ViewImports.cshtml
@@ -0,0 +1,2 @@
+@namespace AuthZenPolicyServer.Pages
+
diff --git a/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Policies/expenses.alfa b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Policies/expenses.alfa
new file mode 100644
index 0000000..8dc8ceb
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Policies/expenses.alfa
@@ -0,0 +1,102 @@
+namespace acmeCorp
+{
+
+    import Oasis.Functions.*
+    import Oasis.Attributes.*
+    import Enforcer.AuthZen.*
+    
+    attribute ExpenseTotal { id ="total" type=money category=resourceCat}
+    attribute ApproverId { id ="approver" type=string category=resourceCat}
+     
+    //
+    // Policies for handling the creation, and approval of expense claims
+    //
+    policyset expenses
+    {
+       target clause ResourceType == "expenses"
+       apply denyUnlessPermit
+       
+       policy CreateExpenseClaim
+       policy SubmitExpenseClaim
+       policy ViewClaimsToApprove
+       policy ApproveAndRejectClaims
+    }
+    
+    policy CreateExpenseClaim {
+      target clause Action == "CreateClaim"
+      apply denyUnlessPermit
+    
+      rule CanCreateExpenseClaim { 
+          condition Role == "employee"
+          permit 
+      }
+    
+      on deny 
+      {
+          advice authZenContext
+          {
+              error = "Must be an employee to create a claim"
+          }
+      }
+    }
+              
+    policy SubmitExpenseClaim 
+    {
+      apply permitUnlessDeny
+
+      target clause Action == "SubmitClaim"
+      rule {
+          condition ExpenseTotal > 1000:money and Role == "employee"
+          deny
+          on deny 
+          {
+              advice authZenContext
+              {
+                  error = "Claim must be less than 1000 GBP"
+              }
+          }
+      }
+      rule { 
+            condition Role != "employee" 
+            deny
+
+          on deny 
+          {
+              advice authZenContext
+              {
+                  error = "Must be an employee to submit a claim"
+              }
+          }
+      }
+    }
+              
+    policy ViewClaimsToApprove
+     {
+         target clause Action == "ListClaimsToApprove"
+         apply denyUnlessPermit
+    
+         rule CanListClaims { 
+             condition Role == "manager"
+             permit 
+         }
+    
+         on deny 
+         {
+             advice authZenContext
+             {
+                 error = "Must be a manager to approve claims"
+             }
+         }
+    }
+             
+    policy ApproveAndRejectClaims
+    {
+       target clause Action == "AcceptClaim" or Action == "RejectClaim"
+       apply permitUnlessDeny
+       
+       rule {
+           condition Subject.Identifier != ApproverId and Role == "manager"
+           deny
+       }
+    }
+}
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Policies/global.alfa b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Policies/global.alfa
new file mode 100644
index 0000000..e5b6306
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Policies/global.alfa
@@ -0,0 +1,9 @@
+namespace acmeCorp
+{
+     policyset global
+     {    
+         apply firstApplicable
+         policy expenses
+     }  
+}
+
diff --git a/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Program.cs b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Program.cs
new file mode 100644
index 0000000..2763256
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Program.cs
@@ -0,0 +1,39 @@
+using AuthZenPolicyServer;
+using Rsk.Enforcer;
+using Rsk.Enforcer.AuthZen;
+using Rsk.Enforcer.PAP.Store;
+using Rsk.Enforcer.PEP;
+
+public class Program
+{
+    public static void Main(string[] args)
+    {
+        var builder = WebApplication.CreateBuilder(args);
+        
+        builder.Services.AddRazorPages();
+        builder.Services
+            .AddEnforcer("acmeCorp.global",options =>
+            {
+                options.Licensee = "DEMO";
+                options.LicenseKey = "eyJhdXRoIjoiREVNTyIsImV4cCI6IjIwMjYtMDQtMzBUMDA6MDA6MDAiLCJpYXQiOiIyMDI2LTAzLTMwVDExOjUwOjA1LjQxMDU5NTFaIiwib3JnIjoiREVNTyIsImF1ZCI6N30=.mtYt37KGtQFJ5je0XJGckWrOx6lqCF5QwraMPJyGFgzYOq8sAFARoIjCKpJ0JpbpCRbCcaTFFhekfHU6NLvJka/ZzfsOYM4JHBSQpol2Z38PwkR4p8J6ONBi/SYOIvXrTk48Tf09Tvo2WHeoiZ9/MLu4IN7+w8sib0fUdkt/cY1PKHHzofBBHPsOT4/LOyxZoVIFLsINC5IOCkGf1vkmCADVFTszOY5nwUf3CNBs+C6UwfpHnvggnMnZpanW45WoWDDcQHgxwS13LgH6k+0XBUrPdcFhTR9mlSuboDspctvVeNASUBWcSLLdGY7GhK2RAWEAf9bbsTrSHErqIK+gx0XcDaq+n94q/qW3swJGGjUlcj+PaGPhmoEojYfwFWWZU6y4dz45XC941GpsYZEGYSVos5+oJMdreCOZqoPXhjEiqmRDgNT7llQ4bixr9voW3N1WKrfy6Ftr2ZYPv/tSOZb3wofGkpLSpPAw/XiyWUOkIiuVajR9CM8//pWQCOZodL1/xuXlioW8EVECXoGDhreDaGhc5BIEycJC/Fv0rgrnFxrPbStm8z+jmigGhN7G7quXaZr+VHhr+WEgjqbB3MSUhR1f/jwjKtiQMEoU7EDiC9BsNkV+KmGKr+o23HlvM2mwE5/rOa/ORgJ3LZmad2yBi6CYge8lwmSLWABMEmc=";
+            })
+            .AddPolicyEnforcementPoint(o => o.Bias = PepBias.Deny)
+            .AddAuthZen()
+            .AddAuthZenAdvice()
+            .AddPolicyAttributeProvider<SubjectAttributeProvider>()
+            .AddEmbeddedPolicyStore(typeof(Program).Assembly, "AuthZenPolicyServer.Policies");
+        
+        var app = builder.Build();
+
+        app.UseEnforcerAuthZen();
+        app.UseStaticFiles();
+        app.UseRouting();
+        app.MapRazorPages();
+        app.MapGet("/", context =>
+        {
+            context.Response.Redirect("/Home");
+            return Task.CompletedTask;
+        });
+        app.Run();
+    }
+}
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Properties/launchSettings.json b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Properties/launchSettings.json
new file mode 100644
index 0000000..5b1460b
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Properties/launchSettings.json
@@ -0,0 +1,23 @@
+{
+  "$schema": "https://json.schemastore.org/launchsettings.json",
+  "profiles": {
+    "http": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "applicationUrl": "http://localhost:5208",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    },
+    "https": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "applicationUrl": "https://localhost:7064;http://localhost:5208",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    }
+  }
+}
diff --git a/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/SubjectAttributeProvider.cs b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/SubjectAttributeProvider.cs
new file mode 100644
index 0000000..4404532
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/SubjectAttributeProvider.cs
@@ -0,0 +1,33 @@
+using Rsk.Enforcer.Oasis.PolicyModel;
+using Rsk.Enforcer.PIP;
+using Rsk.Enforcer.PolicyModels;
+
+namespace AuthZenPolicyServer;
+
+public class AcmeCorpPerson()
+{
+    [PolicyAttributeValue(PolicyAttributeCategories.Subject, "role")]
+    public IEnumerable<string> Roles { get; init; } = [];
+}
+
+public class SubjectAttributeProvider : RecordAttributeValueProvider<AcmeCorpPerson>
+{
+    private static readonly Dictionary<string, AcmeCorpPerson> people = new()
+    {
+        ["bob"] = new AcmeCorpPerson() { Roles = ["employee"]},
+        ["alice"] = new AcmeCorpPerson() { Roles = ["employee","manager"]},
+    };
+    
+    protected override async Task<AcmeCorpPerson> GetRecordValue(IAttributeResolver attributeResolver, CancellationToken ct)
+    {
+        IReadOnlyCollection<string>? identifiers = await attributeResolver
+            .Resolve<string>(Rsk.Enforcer.Oasis.Attributes.Subject.Identifier, ct);
+
+        string? identifier = identifiers.SingleOrDefault();
+        if (identifier == null) return null!;
+
+        AcmeCorpPerson person = new AcmeCorpPerson();
+
+        return people[identifier];
+    }
+}
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/appsettings.Development.json b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/appsettings.Development.json
new file mode 100644
index 0000000..0c208ae
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/appsettings.Development.json
@@ -0,0 +1,8 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  }
+}
diff --git a/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/appsettings.json b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/appsettings.json
new file mode 100644
index 0000000..10f68b8
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/appsettings.json
@@ -0,0 +1,9 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "AllowedHosts": "*"
+}
diff --git a/Samples/CSharp/PolicyDrivenExpenses/PolicyDrivenExpenses.sln b/Samples/CSharp/PolicyDrivenExpenses/PolicyDrivenExpenses.sln
new file mode 100644
index 0000000..62f1199
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/PolicyDrivenExpenses.sln
@@ -0,0 +1,22 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WebApp", "WebApp\WebApp.csproj", "{10B37E26-0292-47E2-AFF8-37C074922F77}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AuthZenPolicyServer", "AuthZenPolicyServer\AuthZenPolicyServer.csproj", "{EF708F15-E567-4151-8BE4-A1FB5BD56EEA}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{10B37E26-0292-47E2-AFF8-37C074922F77}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{10B37E26-0292-47E2-AFF8-37C074922F77}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{10B37E26-0292-47E2-AFF8-37C074922F77}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{10B37E26-0292-47E2-AFF8-37C074922F77}.Release|Any CPU.Build.0 = Release|Any CPU
+		{EF708F15-E567-4151-8BE4-A1FB5BD56EEA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{EF708F15-E567-4151-8BE4-A1FB5BD56EEA}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{EF708F15-E567-4151-8BE4-A1FB5BD56EEA}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{EF708F15-E567-4151-8BE4-A1FB5BD56EEA}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+EndGlobal
diff --git a/Samples/CSharp/PolicyDrivenExpenses/PolicyDrivenExpenses.sln.DotSettings.user b/Samples/CSharp/PolicyDrivenExpenses/PolicyDrivenExpenses.sln.DotSettings.user
new file mode 100644
index 0000000..0f4cf32
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/PolicyDrivenExpenses.sln.DotSettings.user
@@ -0,0 +1,16 @@
+<wpf:ResourceDictionary xml:space="preserve" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:s="clr-namespace:System;assembly=mscorlib" xmlns:ss="urn:shemas-jetbrains-com:settings-storage-xaml" xmlns:wpf="http://schemas.microsoft.com/winfx/2006/xaml/presentation">
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AAttributes_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F6e7f37fa046647d794d2fdfbaeb8d056bd000_003F2a_003F0bdaf15a_003FAttributes_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AAuthorizationEndpointConventionBuilderExtensions_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F529ca7af3db74d77551539ac0655ebf6c535c3725adad6808a78956de9b481_003FAuthorizationEndpointConventionBuilderExtensions_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AAuthZenBoxcarEvaluationRequest_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F8d165ad7a13142acbb9444f9a241cd787400_003Fe3_003Ff503e3b5_003FAuthZenBoxcarEvaluationRequest_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AAuthZenEvaluationRequest_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F8d165ad7a13142acbb9444f9a241cd787400_003F8a_003F3a0a9377_003FAuthZenEvaluationRequest_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AAuthZenSingleRequestBuilder_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F8d165ad7a13142acbb9444f9a241cd787400_003F59_003Feca0bbe2_003FAuthZenSingleRequestBuilder_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AConfiguredCancelableAsyncEnumerable_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F503ce811ad4e9dc1af2f941b2176a3fd92d0d86e67193e3974e638a4ca3f69f_003FConfiguredCancelableAsyncEnumerable_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ADebugger_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Ff9d2f95d72fa884d8b6ddefc717c56da3657fbb2d5fb683656c3589eb6587_003FDebugger_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AFileSystemPolicyStore_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F6e7f37fa046647d794d2fdfbaeb8d056bd000_003F06_003F46a4719a_003FFileSystemPolicyStore_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AIAuthZenPropertyBag_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F8d165ad7a13142acbb9444f9a241cd787400_003Fa4_003F397a31d0_003FIAuthZenPropertyBag_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AIdentityConstants_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F7dbdfb636eaf239e236f25602a4737bcea35d9853112016a49f55f460186b_003FIdentityConstants_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AIPolicyStore_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F6e7f37fa046647d794d2fdfbaeb8d056bd000_003Fe4_003F03d98093_003FIPolicyStore_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AJsonElement_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F579deeb0a45a829a4e9f827e296d7f339cefa86c77069fa79a05cd9546833_003FJsonElement_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AMonitor_002ECoreCLR_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fbc69852c736be69a33ab75e0444246ffeb2f8cd671d12b36b764ba5fa18f61ba_003FMonitor_002ECoreCLR_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ARecordAttributeValueProvider_00601_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F6e7f37fa046647d794d2fdfbaeb8d056bd000_003Fb9_003F273d8668_003FRecordAttributeValueProvider_00601_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ATaskAsyncEnumerableExtensions_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fa446e9d9adcc13b7b2443f91d56768d4201fe33d52acfb68f34d94298a1d3_003FTaskAsyncEnumerableExtensions_002Ecs/@EntryIndexedValue">ForceIncluded</s:String></wpf:ResourceDictionary>
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/ApplicationDbContext.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/ApplicationDbContext.cs
new file mode 100644
index 0000000..746f591
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/ApplicationDbContext.cs
@@ -0,0 +1,11 @@
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Identity.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore;
+
+namespace WebApp;
+
+public sealed class ApplicationDbContext(DbContextOptions<ApplicationDbContext> options)
+    : IdentityDbContext<IdentityUser>(options)
+{
+}
+
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/AllowAllAuthorizeExpenseClaimActions.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/AllowAllAuthorizeExpenseClaimActions.cs
new file mode 100644
index 0000000..b7cfbbe
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/AllowAllAuthorizeExpenseClaimActions.cs
@@ -0,0 +1,34 @@
+using WebApp.Domain;
+
+namespace WebApp.Authorization;
+
+public sealed class AllowAllAuthorizeExpenseClaimActions : IAuthorizeExpenseClaimActions
+{
+    private static readonly AuthorizeResult Success = new AuthorizeResult(true);
+    
+    public Task<AuthorizeResult> CanCreateClaim(string submitterUserId)
+    {
+        return Task.FromResult(Success);
+    }
+
+    public Task<AuthorizeResult> CanSubmitClaim(string submitterUserId, decimal grossCost)
+    {
+        return Task.FromResult(Success);
+    }
+
+    public Task<AuthorizeResult> CanApproveAndRejectClaims(string approverUserId)
+    {
+        return Task.FromResult(Success);
+    }
+
+    public Task<AuthorizeResult> CanApproveClaims(string approverUserId, IEnumerable<IExpenseClaimSubmission> submission)
+    {
+        return Task.FromResult(Success);
+    }
+
+    public Task<AuthorizeResult> CanRejectClaims(string approverUserId, IEnumerable<IExpenseClaimSubmission> submission)
+    {
+        return Task.FromResult(Success);
+    }
+}
+
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/AuthZenAuthorizeExpenseClaimActions.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/AuthZenAuthorizeExpenseClaimActions.cs
new file mode 100644
index 0000000..5182c1e
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/AuthZenAuthorizeExpenseClaimActions.cs
@@ -0,0 +1,108 @@
+using System.Text.Json;
+using Rsk.AuthZen.Client;
+using WebApp.Domain;
+
+namespace WebApp.Authorization;
+
+public class AuthZenAuthorizeExpenseClaimActions(IAuthZenClient client) : IAuthorizeExpenseClaimActions
+{
+    public Task<AuthorizeResult> CanCreateClaim(string submitterUserId)
+    {
+        AuthZenSingleRequestBuilder requestBuilder = new AuthZenSingleRequestBuilder();
+
+        requestBuilder
+            .SetSubject(submitterUserId, "user");
+        
+        requestBuilder.SetAction("CreateClaim");
+        requestBuilder.SetResource("newExpense", "expenses");
+        
+        var request = requestBuilder.Build();
+
+        return Authorize(request);
+    }
+
+    
+    public Task<AuthorizeResult> CanSubmitClaim(string submitterUserId, decimal grossCost)
+    {
+        AuthZenSingleRequestBuilder requestBuilder = new AuthZenSingleRequestBuilder();
+
+        requestBuilder
+            .SetSubject(submitterUserId, "user");
+        
+        requestBuilder.SetAction("SubmitClaim");
+        requestBuilder
+            .SetResource("newExpense", "expenses")
+            .Add("total",grossCost);
+        
+        var request = requestBuilder.Build();
+
+        return Authorize(request);
+    }
+
+    public Task<AuthorizeResult> CanApproveAndRejectClaims(string approverUserId)
+    {
+        AuthZenSingleRequestBuilder requestBuilder = new AuthZenSingleRequestBuilder();
+
+        requestBuilder
+            .SetSubject(approverUserId, "user");
+        
+        requestBuilder
+            .SetAction("ListClaimsToApprove");
+        
+        requestBuilder
+            .SetResource("expenseList", "expenses")
+            ;
+        
+        var request = requestBuilder.Build();
+
+        return Authorize(request);
+    }
+
+    public Task<AuthorizeResult> CanApproveClaims(string approverUserId, IEnumerable<IExpenseClaimSubmission> submissions)
+    {
+        return  AuthorizeClaimSubmissionsAction(approverUserId, submissions,"AcceptClaim");
+    }
+    
+    public Task<AuthorizeResult> CanRejectClaims(string approverUserId, IEnumerable<IExpenseClaimSubmission> submissions)
+    {
+        return  AuthorizeClaimSubmissionsAction(approverUserId, submissions,"RejectClaim");
+    }
+    
+    private async Task<AuthorizeResult> AuthorizeClaimSubmissionsAction(string approverUserId, 
+        IEnumerable<IExpenseClaimSubmission> submissions , string action)
+    {
+        var boxCarRequestBuilder = new AuthZenBoxcarRequestBuilder();
+
+        foreach (IExpenseClaimSubmission submission in submissions)
+        {
+            var rb = boxCarRequestBuilder.AddRequest();
+            rb.SetAction(action);
+            rb.SetSubject(approverUserId, "user");
+            rb.SetResource(submission.SubmissionId, "expenses")
+                .Add("approver", submission.ApproverUserId);
+        }
+
+        AuthZenBoxcarEvaluationRequest? request = boxCarRequestBuilder.Build();
+
+        AuthZenBoxcarResponse? result = await client.Evaluate(request);
+        
+        bool success =  result.Evaluations.All(e => e.Decision == Decision.Permit);
+        return new AuthorizeResult(success);
+    }
+    
+    private async Task<AuthorizeResult> Authorize(AuthZenEvaluationRequest request)
+    {
+        AuthZenResponse response = await client.Evaluate(request);
+        bool success = response.Decision == Decision.Permit;
+
+        if (success == false)
+        {
+            string? error = 
+                JsonSerializer.Deserialize<JsonElement>(response.Context).GetProperty("error").GetString();
+
+            return new AuthorizeResult(false, [error ?? String.Empty]);
+        }
+        
+        return new AuthorizeResult(success);
+    }
+}
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/AuthorizeResult.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/AuthorizeResult.cs
new file mode 100644
index 0000000..073a735
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/AuthorizeResult.cs
@@ -0,0 +1,14 @@
+namespace WebApp.Authorization;
+
+public struct AuthorizeResult(bool success, IEnumerable<string> messages)
+{
+    public IEnumerable<string> Messages { get; } = messages;
+    private static readonly IEnumerable<string> EmptyMessages = [];
+    
+    public AuthorizeResult(bool success) : this(success,EmptyMessages)
+    {
+        
+    }
+
+    public bool Success { get; } = success;
+}
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/DenyAllAuthorizeExpenseClaimActions.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/DenyAllAuthorizeExpenseClaimActions.cs
new file mode 100644
index 0000000..83fa72a
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/DenyAllAuthorizeExpenseClaimActions.cs
@@ -0,0 +1,35 @@
+    using WebApp.Domain;
+
+    namespace WebApp.Authorization;
+
+public sealed class DenyAllAuthorizeExpenseClaimActions : IAuthorizeExpenseClaimActions
+{
+    private static readonly AuthorizeResult Failure = new AuthorizeResult(false, ["All requests will be denied"]);
+    
+    public Task<AuthorizeResult> CanCreateClaim(string submitterUserId)
+    {
+        return Task.FromResult(Failure);
+    }
+
+    public Task<AuthorizeResult> CanSubmitClaim(string submitterUserId, decimal grossCost)
+    {
+        return Task.FromResult(Failure);
+    }
+
+    public Task<AuthorizeResult> CanApproveAndRejectClaims(string approverUserId)
+    {
+        return Task.FromResult(Failure);
+    }
+
+    public Task<AuthorizeResult> CanApproveClaims(string approverUserId, IEnumerable<IExpenseClaimSubmission> submission)
+    {
+        return Task.FromResult(Failure);
+    }
+
+    public Task<AuthorizeResult> CanRejectClaims(string approverUserId, IEnumerable<IExpenseClaimSubmission> submission)
+    {
+        return Task.FromResult(Failure);
+    }
+    
+}
+
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/IAuthorizeExpenseClaimActions.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/IAuthorizeExpenseClaimActions.cs
new file mode 100644
index 0000000..81fd6a1
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/IAuthorizeExpenseClaimActions.cs
@@ -0,0 +1,13 @@
+using WebApp.Domain;
+
+namespace WebApp.Authorization;
+
+public interface IAuthorizeExpenseClaimActions
+{
+    Task<AuthorizeResult> CanCreateClaim(string submitterUserId);
+    Task<AuthorizeResult> CanSubmitClaim(string submitterUserId, decimal grossCost);
+
+    Task<AuthorizeResult> CanApproveAndRejectClaims(string approverUserId);
+    Task<AuthorizeResult> CanApproveClaims(string approverUserId , IEnumerable<IExpenseClaimSubmission> submission);
+    Task<AuthorizeResult> CanRejectClaims(string approverUserId , IEnumerable<IExpenseClaimSubmission> submission);
+}
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/IExpenseClaimService.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/IExpenseClaimService.cs
new file mode 100644
index 0000000..5b091e2
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/IExpenseClaimService.cs
@@ -0,0 +1,22 @@
+namespace WebApp.Domain;
+
+public interface IExpenseClaimService
+{
+    Task<IExpenseClaimSubmission> Create(
+        string submitterUserId,
+        string description,
+        DateOnly claimDate,
+        decimal grossCost,
+        decimal tax,
+        string costCentre);
+
+    Task<IExpenseClaimSubmission?> GetById(string submissionId);
+
+    Task<IReadOnlyList<IExpenseClaimSubmission>> GetBySubmitterUserId(string submitterUserId);
+
+    Task<IReadOnlyList<IExpenseClaimSubmission>> GetByApproverUserId(string approverUserId);
+
+    Task<IExpenseClaimSubmission> UpdateStatus(
+        string submissionId,
+        ExpenseClaimStatus status);
+}
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/IExpenseClaimSubmission.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/IExpenseClaimSubmission.cs
new file mode 100644
index 0000000..18e8d2b
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/IExpenseClaimSubmission.cs
@@ -0,0 +1,21 @@
+namespace WebApp.Domain;
+
+public enum ExpenseClaimStatus
+{
+    Submitted,
+    Rejected,
+    Approved
+}
+
+public interface IExpenseClaimSubmission
+{
+    string SubmissionId { get; }
+    string SubmitterUserId { get; }
+    string ApproverUserId { get; }
+    string Description { get; }
+    DateOnly ClaimDate { get; }
+    decimal GrossCost { get; }
+    decimal Tax { get; }
+    string CostCentre { get; }
+    ExpenseClaimStatus Status { get; }
+}
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/IGenerateAccessDeniedContent.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/IGenerateAccessDeniedContent.cs
new file mode 100644
index 0000000..0a3b097
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/IGenerateAccessDeniedContent.cs
@@ -0,0 +1,33 @@
+using System.Collections.Concurrent;
+using Microsoft.AspNetCore.Mvc;
+
+namespace WebApp.Domain;
+
+public interface IGenerateAccessDeniedContent
+{
+    ActionResult Redirect(IEnumerable<string> messages);
+    IEnumerable<string> Messages(string reasonCode);
+}
+
+
+
+public class InMemoryGeneratedAccessDeniedContent : IGenerateAccessDeniedContent
+{
+    private ConcurrentDictionary<string, IEnumerable<string>> messagesMap = new();
+    
+    public ActionResult Redirect(IEnumerable<string> messages)
+    {
+        string reasonCode = Guid.NewGuid().ToString();
+        messagesMap.TryAdd(reasonCode, messages);
+        return new RedirectToPageResult("/AccessDenied",  null , new
+        {
+            reason = reasonCode
+        }, null);
+    }
+
+    public IEnumerable<string> Messages(string reasonCode)
+    {
+        messagesMap.TryRemove(reasonCode, out IEnumerable<string>? messages);
+        return messages ?? [];
+    }
+}
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/IManagerLookupService.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/IManagerLookupService.cs
new file mode 100644
index 0000000..2d95644
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/IManagerLookupService.cs
@@ -0,0 +1,6 @@
+namespace WebApp.Domain;
+
+public interface IManagerLookupService
+{
+    Task<string> GetManagerUserId(string submitterUserId);
+}
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/InMemoryExpenseClaimService.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/InMemoryExpenseClaimService.cs
new file mode 100644
index 0000000..ccc6f27
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/InMemoryExpenseClaimService.cs
@@ -0,0 +1,147 @@
+using System.Collections.Concurrent;
+
+namespace WebApp.Domain;
+
+public sealed class InMemoryExpenseClaimService(IManagerLookupService managerLookupService) : IExpenseClaimService
+{
+    private readonly IManagerLookupService managerLookupService = managerLookupService;
+    private static readonly ConcurrentDictionary<string, ExpenseClaimSubmission> claims = new();
+
+    public async Task<IExpenseClaimSubmission> Create(
+        string submitterUserId,
+        string description,
+        DateOnly claimDate,
+        decimal grossCost,
+        decimal tax,
+        string costCentre)
+    {
+        ValidateCreateInput(submitterUserId, description, grossCost, tax, costCentre);
+
+        var approverUserId = await managerLookupService.GetManagerUserId(submitterUserId);
+        if (string.IsNullOrWhiteSpace(approverUserId))
+        {
+            throw new InvalidOperationException($"No approver found for submitter '{submitterUserId}'.");
+        }
+
+        var claim = new ExpenseClaimSubmission(
+            SubmissionId: Guid.NewGuid().ToString("N"),
+            SubmitterUserId: submitterUserId.Trim(),
+            ApproverUserId: approverUserId.Trim(),
+            Description: description.Trim(),
+            ClaimDate: claimDate,
+            GrossCost: grossCost,
+            Tax: tax,
+            CostCentre: costCentre.Trim(),
+            Status: ExpenseClaimStatus.Submitted);
+
+        claims[claim.SubmissionId] = claim;
+        return claim;
+    }
+
+    public Task<IExpenseClaimSubmission?> GetById(string submissionId)
+    {
+        if (string.IsNullOrWhiteSpace(submissionId))
+        {
+            return Task.FromResult<IExpenseClaimSubmission?>(null);
+        }
+
+        claims.TryGetValue(submissionId, out var claim);
+        return Task.FromResult<IExpenseClaimSubmission?>(claim);
+    }
+
+    public Task<IReadOnlyList<IExpenseClaimSubmission>> GetBySubmitterUserId(string submitterUserId)
+    {
+        if (string.IsNullOrWhiteSpace(submitterUserId))
+        {
+            return Task.FromResult<IReadOnlyList<IExpenseClaimSubmission>>([]);
+        }
+
+        var normalized = submitterUserId.Trim();
+        var results = claims.Values
+            .Where(c => string.Equals(c.SubmitterUserId, normalized, StringComparison.OrdinalIgnoreCase))
+            .OrderByDescending(c => c.ClaimDate)
+            .Cast<IExpenseClaimSubmission>()
+            .ToList();
+
+        return Task.FromResult<IReadOnlyList<IExpenseClaimSubmission>>(results);
+    }
+
+    public Task<IReadOnlyList<IExpenseClaimSubmission>> GetByApproverUserId(string approverUserId)
+    {
+        if (string.IsNullOrWhiteSpace(approverUserId))
+        {
+            return Task.FromResult<IReadOnlyList<IExpenseClaimSubmission>>([]);
+        }
+
+        var normalized = approverUserId.Trim();
+        var results = claims.Values
+            .Where(c => string.Equals(c.ApproverUserId, normalized, StringComparison.OrdinalIgnoreCase))
+            .OrderByDescending(c => c.ClaimDate)
+            .Cast<IExpenseClaimSubmission>()
+            .ToList();
+
+        return Task.FromResult<IReadOnlyList<IExpenseClaimSubmission>>(results);
+    }
+
+    public Task<IExpenseClaimSubmission> UpdateStatus(string submissionId, ExpenseClaimStatus status)
+    {
+        if (string.IsNullOrWhiteSpace(submissionId))
+        {
+            throw new ArgumentException("Submission id is required.", nameof(submissionId));
+        }
+
+        if (!claims.TryGetValue(submissionId, out var existing))
+        {
+            throw new KeyNotFoundException($"No expense claim found with id '{submissionId}'.");
+        }
+
+        var updated = existing with { Status = status };
+        claims[submissionId] = updated;
+
+        return Task.FromResult<IExpenseClaimSubmission>(updated);
+    }
+
+    private static void ValidateCreateInput(
+        string submitterUserId,
+        string description,
+        decimal grossCost,
+        decimal tax,
+        string costCentre)
+    {
+        if (string.IsNullOrWhiteSpace(submitterUserId))
+        {
+            throw new ArgumentException("Submitter user id is required.", nameof(submitterUserId));
+        }
+
+        if (string.IsNullOrWhiteSpace(description))
+        {
+            throw new ArgumentException("Description is required.", nameof(description));
+        }
+
+        if (grossCost <= 0)
+        {
+            throw new ArgumentOutOfRangeException(nameof(grossCost), "Gross cost must be greater than zero.");
+        }
+
+        if (tax < 0)
+        {
+            throw new ArgumentOutOfRangeException(nameof(tax), "Tax cannot be negative.");
+        }
+
+        if (string.IsNullOrWhiteSpace(costCentre))
+        {
+            throw new ArgumentException("Cost centre is required.", nameof(costCentre));
+        }
+    }
+
+    private sealed record ExpenseClaimSubmission(
+        string SubmissionId,
+        string SubmitterUserId,
+        string ApproverUserId,
+        string Description,
+        DateOnly ClaimDate,
+        decimal GrossCost,
+        decimal Tax,
+        string CostCentre,
+        ExpenseClaimStatus Status) : IExpenseClaimSubmission;
+}
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/InMemoryManagerLookupService.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/InMemoryManagerLookupService.cs
new file mode 100644
index 0000000..00a65bc
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Domain/InMemoryManagerLookupService.cs
@@ -0,0 +1,40 @@
+using Microsoft.AspNetCore.Identity;
+
+namespace WebApp.Domain;
+
+public sealed class InMemoryManagerLookupService(UserManager<IdentityUser> userManager) : IManagerLookupService
+{
+    private static readonly IReadOnlyDictionary<string, string> ManagerUserNameMap =
+        new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
+        {
+            ["alice"] = "bob",
+            ["bob"] = "alice"
+        };
+
+    public async Task<string> GetManagerUserId(string submitterUserId)
+    {
+        if (string.IsNullOrWhiteSpace(submitterUserId))
+        {
+            throw new ArgumentException("Submitter user id is required.", nameof(submitterUserId));
+        }
+
+        var submitter = await userManager.FindByIdAsync(submitterUserId.Trim());
+        if (submitter is null || string.IsNullOrWhiteSpace(submitter.UserName))
+        {
+            throw new InvalidOperationException($"Submitter user '{submitterUserId}' was not found.");
+        }
+
+        if (!ManagerUserNameMap.TryGetValue(submitter.UserName, out var managerUserName))
+        {
+            throw new InvalidOperationException($"No manager mapping exists for '{submitter.UserName}'.");
+        }
+
+        var manager = await userManager.FindByNameAsync(managerUserName);
+        if (manager is null)
+        {
+            throw new InvalidOperationException($"Mapped manager '{managerUserName}' was not found.");
+        }
+
+        return manager.Id;
+    }
+}
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/AccessDenied.cshtml b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/AccessDenied.cshtml
new file mode 100644
index 0000000..60c8bdd
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/AccessDenied.cshtml
@@ -0,0 +1,24 @@
+@page "/AccessDenied"
+@model WebApp.Pages.AccessDeniedModel
+@{
+    ViewData["Title"] = "Access Denied";
+}
+
+<div class="row justify-content-center">
+    <div class="col-12 col-md-8 col-lg-6">
+        <div class="card shadow-sm border-0">
+            <div class="card-body p-4">
+                <h1 class="h3 mb-3 text-danger">Access Denied</h1>
+                @foreach (string message in @Model.Messages)
+                {
+                    <p class="mb-4">@message</p>
+                }
+                <div class="d-flex flex-wrap gap-2">
+                    <a class="btn btn-primary" href="/">Back to Home</a>
+                    <a class="btn btn-outline-secondary" href="/Account/Login">Sign in as another user</a>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/AccessDenied.cshtml.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/AccessDenied.cshtml.cs
new file mode 100644
index 0000000..00fa250
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/AccessDenied.cshtml.cs
@@ -0,0 +1,17 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+using WebApp.Domain;
+
+namespace WebApp.Pages;
+
+public class AccessDeniedModel(IGenerateAccessDeniedContent accessDeniedContent) : PageModel
+{
+    [BindProperty(SupportsGet = true)]
+    public string? Reason { get; set; }
+
+    public IEnumerable<string> Messages => accessDeniedContent.Messages(Reason ?? "");
+
+    public void OnGet()
+    {
+    }
+}
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Account/Login.cshtml b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Account/Login.cshtml
new file mode 100644
index 0000000..9a7a3bb
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Account/Login.cshtml
@@ -0,0 +1,47 @@
+@page
+@model WebApp.Pages.Account.LoginModel
+@{
+    ViewData["Title"] = "Sign in";
+}
+
+<div class="row justify-content-center">
+    <div class="col-12 col-sm-10 col-md-8 col-lg-5">
+        <div class="card shadow-sm border-0">
+            <div class="card-body p-4">
+                <h1 class="h3 mb-4 text-center">Sign in</h1>
+
+                @if (!string.IsNullOrWhiteSpace(Model.ErrorMessage))
+                {
+                    <div class="alert alert-danger" role="alert">@Model.ErrorMessage</div>
+                }
+
+                <form method="post" class="needs-validation" novalidate>
+                    <div class="mb-3">
+                        <label asp-for="Input.UserName" class="form-label">Username</label>
+                        <input asp-for="Input.UserName" class="form-control" autocomplete="username" />
+                        <span asp-validation-for="Input.UserName" class="text-danger small"></span>
+                    </div>
+
+                    <div class="mb-3">
+                        <label asp-for="Input.Password" class="form-label">Password</label>
+                        <input asp-for="Input.Password" class="form-control" autocomplete="current-password" />
+                        <span asp-validation-for="Input.Password" class="text-danger small"></span>
+                    </div>
+
+                    <div class="form-check mb-4">
+                        <input asp-for="Input.RememberMe" class="form-check-input" />
+                        <label asp-for="Input.RememberMe" class="form-check-label">Remember me</label>
+                    </div>
+
+                    <div class="d-grid">
+                        <button type="submit" class="btn btn-primary btn-lg">Sign in</button>
+                    </div>
+                </form>
+
+                <p class="text-body-secondary mt-4 mb-0 small text-center">
+                    Try <code>alice</code> or <code>bob</code> with password <code>Passw0rd!</code>
+                </p>
+            </div>
+        </div>
+    </div>
+</div>
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Account/Login.cshtml.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Account/Login.cshtml.cs
new file mode 100644
index 0000000..64815fa
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Account/Login.cshtml.cs
@@ -0,0 +1,59 @@
+using System.ComponentModel.DataAnnotations;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace WebApp.Pages.Account;
+
+public class LoginModel(SignInManager<IdentityUser> signInManager) : PageModel
+{
+    private readonly SignInManager<IdentityUser> _signInManager = signInManager;
+
+    [BindProperty]
+    public InputModel Input { get; set; } = new();
+
+    public string? ReturnUrl { get; set; }
+    public string? ErrorMessage { get; set; }
+
+    public void OnGet(string? returnUrl = null)
+    {
+        ReturnUrl = string.IsNullOrWhiteSpace(returnUrl) ? "/Home" : returnUrl;
+    }
+
+    public async Task<IActionResult> OnPostAsync(string? returnUrl = null)
+    {
+        ReturnUrl = string.IsNullOrWhiteSpace(returnUrl) ? "/Home" : returnUrl;
+
+        if (!ModelState.IsValid)
+        {
+            return Page();
+        }
+        
+        var result = await _signInManager.PasswordSignInAsync(
+            Input.UserName,
+            Input.Password,
+            Input.RememberMe,
+            lockoutOnFailure: false);
+
+        if (result.Succeeded)
+        {
+            return LocalRedirect(ReturnUrl);
+        }
+
+        ErrorMessage = "Invalid username or password.";
+        return Page();
+    }
+
+    public sealed class InputModel
+    {
+        [Required]
+        public string UserName { get; set; } = string.Empty;
+
+        [Required]
+        [DataType(DataType.Password)]
+        public string Password { get; set; } = string.Empty;
+
+        public bool RememberMe { get; set; }
+    }
+}
+
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Account/Logout.cshtml b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Account/Logout.cshtml
new file mode 100644
index 0000000..1bf23c0
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Account/Logout.cshtml
@@ -0,0 +1,19 @@
+@page
+@model WebApp.Pages.Account.Logout
+
+@{
+    Layout = null;
+}
+
+<!DOCTYPE html>
+
+<html>
+<head>
+    <title></title>
+</head>
+<body>
+<div>
+    
+</div>
+</body>
+</html>
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Account/Logout.cshtml.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Account/Logout.cshtml.cs
new file mode 100644
index 0000000..e2293c2
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Account/Logout.cshtml.cs
@@ -0,0 +1,16 @@
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace WebApp.Pages.Account;
+
+public class Logout(SignInManager<IdentityUser> signInManager) : PageModel
+{
+private readonly SignInManager<IdentityUser> _signInManager = signInManager;
+
+public async Task<IActionResult> OnPostAsync()
+{
+    await _signInManager.SignOutAsync();
+    return RedirectToPage("/Home");
+}
+}
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Expenses/Approve.cshtml b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Expenses/Approve.cshtml
new file mode 100644
index 0000000..19fea27
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Expenses/Approve.cshtml
@@ -0,0 +1,72 @@
+@page
+@model WebApp.Pages.Expenses.ApproveModel
+@{
+    ViewData["Title"] = "Approve Claims";
+}
+
+<div class="row justify-content-center">
+    <div class="col-12 col-xl-10">
+        <div class="card shadow-sm border-0">
+            <div class="card-body p-4">
+                <h1 class="h3 mb-3">Claims Assigned To You</h1>
+
+                @if (!string.IsNullOrWhiteSpace(Model.StatusMessage))
+                {
+                    <div class="alert alert-info" role="alert">@Model.StatusMessage</div>
+                }
+
+                @if (Model.Claims.Count == 0)
+                {
+                    <p class="text-body-secondary mb-0">No submitted claims are currently assigned to you.</p>
+                }
+                else
+                {
+                    <form method="post">
+                        <div class="table-responsive">
+                            <table class="table table-sm align-middle">
+                                <thead>
+                                    <tr>
+                                        <th scope="col"></th>
+                                        <th scope="col">Date</th>
+                                        <th scope="col">Submitter</th>
+                                        <th scope="col">Description</th>
+                                        <th scope="col" class="text-end">Gross</th>
+                                        <th scope="col" class="text-end">Tax</th>
+                                        <th scope="col">Cost Centre</th>
+                                        <th scope="col">Status</th>
+                                    </tr>
+                                </thead>
+                                <tbody>
+                                @foreach (var claim in Model.Claims)
+                                {
+                                    <tr>
+                                        <td>
+                                            <input class="form-check-input" type="checkbox" name="SelectedClaimIds" value="@claim.SubmissionId" />
+                                        </td>
+                                        <td>@claim.ClaimDate.ToString("yyyy-MM-dd")</td>
+                                        <td>@claim.SubmitterUserId</td>
+                                        <td>@claim.Description</td>
+                                        <td class="text-end">@claim.GrossCost.ToString("C")</td>
+                                        <td class="text-end">@claim.Tax.ToString("C")</td>
+                                        <td>@claim.CostCentre</td>
+                                        <td>
+                                            <span class="badge text-bg-warning">@claim.Status</span>
+                                        </td>
+                                    </tr>
+                                }
+                                </tbody>
+                            </table>
+                        </div>
+
+                        <div class="d-flex flex-wrap gap-2 mt-3">
+                            <button type="submit" name="Action" value="approve" class="btn btn-success">Approve Selected</button>
+                            <button type="submit" name="Action" value="reject" class="btn btn-outline-danger">Reject Selected</button>
+                            <a class="btn btn-outline-secondary" href="/">Back</a>
+                        </div>
+                    </form>
+                }
+            </div>
+        </div>
+    </div>
+</div>
+
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Expenses/Approve.cshtml.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Expenses/Approve.cshtml.cs
new file mode 100644
index 0000000..02dff86
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Expenses/Approve.cshtml.cs
@@ -0,0 +1,122 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+using WebApp.Authorization;
+using WebApp.Domain;
+
+namespace WebApp.Pages.Expenses;
+
+[Authorize]
+public class ApproveModel(IExpenseClaimService expenseClaimService, IGenerateAccessDeniedContent accessDenied, IAuthorizeExpenseClaimActions pep) : PageModel
+{
+    [BindProperty]
+    public List<string> SelectedClaimIds { get; set; } = [];
+
+    [BindProperty]
+    public string Action { get; set; } = string.Empty;
+
+    public IReadOnlyList<PendingApprovalViewModel> Claims { get; private set; } = [];
+
+    public string? StatusMessage { get; private set; }
+
+    public async Task<IActionResult> OnGet()
+    {
+        var approverUserId = User.FindFirstValue(ClaimTypes.NameIdentifier);
+        if (string.IsNullOrWhiteSpace(approverUserId))
+        {
+            return Challenge();
+        }
+
+        AuthorizeResult canApproveAndRejectClaims = await pep.CanApproveAndRejectClaims(approverUserId); 
+        if (!canApproveAndRejectClaims.Success)
+        {
+            return accessDenied.Redirect(canApproveAndRejectClaims.Messages);
+        }
+        
+        await LoadExpenseClaims(approverUserId);
+        return Page();
+    }
+
+    public async Task<IActionResult> OnPost()
+    {
+        var approverUserId = User.FindFirstValue(ClaimTypes.NameIdentifier);
+        if (string.IsNullOrWhiteSpace(approverUserId))
+        {
+            return Challenge();
+        }
+
+        var action = Action?.Trim().ToLowerInvariant();
+        if (action is not ("approve" or "reject"))
+        {
+            StatusMessage = "Choose an action.";
+            await LoadExpenseClaims(approverUserId);
+            return Page();
+        }
+
+        var assignedClaims = await expenseClaimService.GetByApproverUserId(approverUserId);
+        Dictionary<string,IExpenseClaimSubmission> allowedIds = assignedClaims
+            .Where(c => c.Status == ExpenseClaimStatus.Submitted)
+            .ToDictionary(e => e.SubmissionId,e=>e);
+
+        List<string> selectedIds = SelectedClaimIds
+            .Where(id => !string.IsNullOrWhiteSpace(id) && allowedIds.ContainsKey(id))
+            .Distinct(StringComparer.OrdinalIgnoreCase)
+            .ToList();
+
+        List<IExpenseClaimSubmission> expensesToActUpon = assignedClaims.Where(c => selectedIds.Contains(c.SubmissionId)).ToList();
+
+        Func<string, IEnumerable<IExpenseClaimSubmission>, Task<AuthorizeResult>> authorizationCall =
+            action == "approve" ? pep.CanApproveClaims : pep.CanRejectClaims;
+        
+        AuthorizeResult claimActionAuthorizationResult = await authorizationCall(approverUserId, expensesToActUpon );
+
+        if (!claimActionAuthorizationResult.Success)
+        {
+            return accessDenied.Redirect(claimActionAuthorizationResult.Messages);
+        }
+        
+        foreach (var submissionId in selectedIds)
+        {
+            var nextStatus = action == "approve" ? ExpenseClaimStatus.Approved : ExpenseClaimStatus.Rejected;
+            await expenseClaimService.UpdateStatus(submissionId, nextStatus);
+        }
+
+        StatusMessage = selectedIds.Count == 0
+            ? "No claims were selected."
+            : $"{(action == "approve" ? "Approved" : "Rejected")} {selectedIds.Count} claim(s).";
+
+        SelectedClaimIds.Clear();
+        await LoadExpenseClaims(approverUserId);
+        return Page();
+    }
+
+    private async Task LoadExpenseClaims(string approverUserId)
+    {
+        var claims = await expenseClaimService.GetByApproverUserId(approverUserId);
+
+        Claims = claims
+            .Where(c => c.Status == ExpenseClaimStatus.Submitted)
+            .OrderBy(c => c.ClaimDate)
+            .Select(c => new PendingApprovalViewModel(
+                c.SubmissionId,
+                c.SubmitterUserId,
+                c.Description,
+                c.ClaimDate,
+                c.GrossCost,
+                c.Tax,
+                c.CostCentre,
+                c.Status))
+            .ToList();
+    }
+
+    public sealed record PendingApprovalViewModel(
+        string SubmissionId,
+        string SubmitterUserId,
+        string Description,
+        DateOnly ClaimDate,
+        decimal GrossCost,
+        decimal Tax,
+        string CostCentre,
+        ExpenseClaimStatus Status);
+}
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Expenses/Create.cshtml b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Expenses/Create.cshtml
new file mode 100644
index 0000000..70048b7
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Expenses/Create.cshtml
@@ -0,0 +1,108 @@
+@page
+@model WebApp.Pages.Expenses.CreateModel
+@{
+    ViewData["Title"] = "Submit Expense Claim";
+}
+
+<div class="row justify-content-center">
+    <div class="col-12 col-md-8 col-lg-6">
+        <div class="card shadow-sm border-0">
+            <div class="card-body p-4">
+                <h1 class="h3 mb-3">Submit Expense Claim</h1>
+                <p class="text-body-secondary">Enter expense details and review your open claims below.</p>
+
+                @if (Model.Submitted)
+                {
+                    <div class="alert alert-success" role="alert">
+                        Expense claim submitted and saved in memory.
+                    </div>
+                }
+
+                <form method="post">
+                    <div class="mb-3">
+                        <label asp-for="Submission.Description" class="form-label"></label>
+                        <input asp-for="Submission.Description" class="form-control" />
+                        <span asp-validation-for="Submission.Description" class="text-danger small"></span>
+                    </div>
+
+                    <div class="mb-3">
+                        <label asp-for="Submission.ClaimDate" class="form-label"></label>
+                        <input asp-for="Submission.ClaimDate" class="form-control" type="date" />
+                        <span asp-validation-for="Submission.ClaimDate" class="text-danger small"></span>
+                    </div>
+
+                    <div class="row g-3">
+                        <div class="col-md-6">
+                            <label asp-for="Submission.GrossCost" class="form-label"></label>
+                            <input asp-for="Submission.GrossCost" class="form-control" />
+                            <span asp-validation-for="Submission.GrossCost" class="text-danger small"></span>
+                        </div>
+                        <div class="col-md-6">
+                            <label asp-for="Submission.Tax" class="form-label"></label>
+                            <input asp-for="Submission.Tax" class="form-control" />
+                            <span asp-validation-for="Submission.Tax" class="text-danger small"></span>
+                        </div>
+                    </div>
+
+                    <div class="mt-3 mb-4">
+                        <label asp-for="Submission.CostCentre" class="form-label"></label>
+                        <select asp-for="Submission.CostCentre" class="form-select" asp-items="Model.CostCentres">
+                            <option value="">Select a cost centre</option>
+                        </select>
+                        <span asp-validation-for="Submission.CostCentre" class="text-danger small"></span>
+                    </div>
+
+                    <div class="d-grid d-sm-flex gap-2">
+                        <button type="submit" class="btn btn-primary">Submit Claim</button>
+                        <a class="btn btn-outline-secondary" href="/">Cancel</a>
+                    </div>
+                </form>
+            </div>
+        </div>
+
+        <div class="card shadow-sm border-0 mt-4">
+            <div class="card-body p-4">
+                <h2 class="h5 mb-3">Your Open Claims</h2>
+
+                @if (Model.ExistingClaims.Count == 0)
+                {
+                    <p class="text-body-secondary mb-0">You have no submitted or rejected claims.</p>
+                }
+                else
+                {
+                    <div class="table-responsive">
+                        <table class="table table-sm align-middle mb-0">
+                            <thead>
+                                <tr>
+                                    <th scope="col">Date</th>
+                                    <th scope="col">Description</th>
+                                    <th scope="col" class="text-end">Gross</th>
+                                    <th scope="col" class="text-end">Tax</th>
+                                    <th scope="col">Cost Centre</th>
+                                    <th scope="col">Status</th>
+                                </tr>
+                            </thead>
+                            <tbody>
+                            @foreach (var claim in Model.ExistingClaims)
+                            {
+                                <tr>
+                                    <td>@claim.ClaimDate.ToString("yyyy-MM-dd")</td>
+                                    <td>@claim.Description</td>
+                                    <td class="text-end">@claim.GrossCost.ToString("C")</td>
+                                    <td class="text-end">@claim.Tax.ToString("C")</td>
+                                    <td>@claim.CostCentre</td>
+                                    <td>
+                                        <span class="badge @(claim.Status == WebApp.Domain.ExpenseClaimStatus.Rejected ? "text-bg-danger" : "text-bg-warning")">
+                                            @claim.Status
+                                        </span>
+                                    </td>
+                                </tr>
+                            }
+                            </tbody>
+                        </table>
+                    </div>
+                }
+            </div>
+        </div>
+    </div>
+</div>
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Expenses/Create.cshtml.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Expenses/Create.cshtml.cs
new file mode 100644
index 0000000..4c53d6c
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Expenses/Create.cshtml.cs
@@ -0,0 +1,148 @@
+using System.ComponentModel.DataAnnotations;
+using System.Security.Claims;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+using Microsoft.AspNetCore.Mvc.Rendering;
+using WebApp.Authorization;
+using WebApp.Domain;
+
+namespace WebApp.Pages.Expenses;
+
+[Authorize]
+public class CreateModel(
+    IExpenseClaimService expenseClaimService,
+    IAuthorizeExpenseClaimActions authorizeExpenseClaimActions,
+    IGenerateAccessDeniedContent accessDeniedService) : PageModel
+{
+    [BindProperty]
+    public ExpenseClaimSubmissionModel Submission { get; set; } = new();
+
+    public bool Submitted { get; private set; }
+
+    public IReadOnlyList<OpenExpenseClaimViewModel> ExistingClaims { get; private set; } = [];
+
+    public IEnumerable<SelectListItem> CostCentres =>
+    [
+        new("G&A", "G&A"),
+        new("R&D", "R&D"),
+        new("Sales", "Sales"),
+        new("PS", "PS"),
+        new("Maintenance", "Maintenance")
+    ];
+
+    public async Task<IActionResult> OnGet()
+    {
+        Submission.ClaimDate = DateOnly.FromDateTime(DateTime.Today);
+
+        var submitterUserId = User.FindFirstValue(ClaimTypes.NameIdentifier);
+        if (string.IsNullOrWhiteSpace(submitterUserId))
+        {
+            return Challenge();
+        }
+
+
+        AuthorizeResult canCreateAuthorizationResult = await authorizeExpenseClaimActions.CanCreateClaim(submitterUserId);
+        if (!canCreateAuthorizationResult.Success)
+        {
+            return accessDeniedService.Redirect(canCreateAuthorizationResult.Messages);
+        }
+
+        await LoadExistingClaims(submitterUserId);
+        return Page();
+    }
+
+    public async Task<IActionResult> OnPost()
+    {
+        var submitterUserId = User.FindFirstValue(ClaimTypes.NameIdentifier);
+        if (string.IsNullOrWhiteSpace(submitterUserId))
+        {
+            return Challenge();
+        }
+
+        if (!ModelState.IsValid)
+        {
+            await LoadExistingClaims(submitterUserId);
+            return Page();
+        }
+
+        var canSubmit = await authorizeExpenseClaimActions.CanSubmitClaim(
+            submitterUserId,
+            Submission.GrossCost!.Value);
+        if (!canSubmit.Success)
+        {
+            return accessDeniedService.Redirect(canSubmit.Messages);
+        }
+
+        await expenseClaimService.Create(
+            submitterUserId,
+            Submission.Description,
+            Submission.ClaimDate!.Value,
+            Submission.GrossCost!.Value,
+            Submission.Tax!.Value,
+            Submission.CostCentre);
+
+        Submitted = true;
+        ModelState.Clear();
+        Submission = new ExpenseClaimSubmissionModel
+        {
+            ClaimDate = DateOnly.FromDateTime(DateTime.Today)
+        };
+
+        await LoadExistingClaims(submitterUserId);
+        return Page();
+    }
+
+    private async Task LoadExistingClaims(string submitterUserId)
+    {
+        var claims = await expenseClaimService.GetBySubmitterUserId(submitterUserId);
+        ExistingClaims = claims
+            .Where(c => c.Status != ExpenseClaimStatus.Approved)
+            .OrderByDescending(c => c.ClaimDate)
+            .Select(c => new OpenExpenseClaimViewModel(
+                c.SubmissionId,
+                c.Description,
+                c.ClaimDate,
+                c.GrossCost,
+                c.Tax,
+                c.CostCentre,
+                c.Status))
+            .ToList();
+    }
+
+    public sealed class ExpenseClaimSubmissionModel
+    {
+        [Required]
+        [StringLength(200)]
+        [Display(Name = "Description")]
+        public string Description { get; set; } = string.Empty;
+
+        [Required]
+        [DataType(DataType.Date)]
+        [Display(Name = "Claim Date")]
+        public DateOnly? ClaimDate { get; set; }
+
+        [Required]
+        [Range(typeof(decimal), "0.01", "79228162514264337593543950335")]
+        [Display(Name = "Gross Cost")]
+        public decimal? GrossCost { get; set; }
+
+        [Required]
+        [Range(typeof(decimal), "0.00", "79228162514264337593543950335")]
+        [Display(Name = "Tax")]
+        public decimal? Tax { get; set; }
+
+        [Required]
+        [Display(Name = "Cost Centre")]
+        public string CostCentre { get; set; } = string.Empty;
+    }
+
+    public sealed record OpenExpenseClaimViewModel(
+        string SubmissionId,
+        string Description,
+        DateOnly ClaimDate,
+        decimal GrossCost,
+        decimal Tax,
+        string CostCentre,
+        ExpenseClaimStatus Status);
+}
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Home.cshtml b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Home.cshtml
new file mode 100644
index 0000000..74245ce
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Home.cshtml
@@ -0,0 +1,45 @@
+@page "/Home"
+@model WebApp.Pages.HomeModel
+@{
+    ViewData["Title"] = "Home";
+}
+
+<div class="row justify-content-center">
+    <div class="col-12 col-lg-10">
+        <div class="card shadow-sm border-0">
+            <div class="card-body p-4 p-lg-5">
+                <h1 class="h2 mb-3">Expense Claims App</h1>
+                <p class="text-body-secondary mb-4">
+                    This application helps employees submit expense claims and enables assigned managers
+                    to review and approve or reject claims.
+                </p>
+
+                <h2 class="h5">What You Can Do</h2>
+                <ul class="mb-4">
+                    <li><strong>Create claims:</strong> Submit expense details including description, date, cost values, and cost centre.</li>
+                    <li><strong>Track open claims:</strong> View your submitted and rejected claims that are still open.</li>
+                    <li><strong>Approve assigned claims:</strong> If you are an approver, review claims assigned to you and process many at once.</li>
+                </ul>
+
+                <h2 class="h5">How Approval Works</h2>
+                <p class="mb-4">
+                    When a claim is submitted, the service assigns it to an approver using manager lookup.
+                    Approvers see only claims assigned to them on the Approve page.
+                </p>
+                
+                <h2 class="h5">Authorization Rules</h2>
+                <ul class="mb-4">
+                    <li>bob is an employee, he can submit expense claims</li>
+                    <li>expense claims have a limit of 1000</li>
+                    <li>alice is bob's manager she can approve or reject bobs expense claims</li>
+                </ul>
+
+                <div class="d-flex flex-wrap gap-2">
+                    <a class="btn btn-primary" href="/Expenses/Create">Create Expense Claim</a>
+                    <a class="btn btn-outline-primary" href="/Expenses/Approve">Approve Claims</a>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Home.cshtml.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Home.cshtml.cs
new file mode 100644
index 0000000..6f54817
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Home.cshtml.cs
@@ -0,0 +1,10 @@
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace WebApp.Pages;
+
+public class HomeModel() : PageModel
+{
+  
+}
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Shared/_Layout.cshtml b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Shared/_Layout.cshtml
new file mode 100644
index 0000000..726175e
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Shared/_Layout.cshtml
@@ -0,0 +1,84 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>@ViewData["Title"] - WebApp</title>
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/css/bootstrap.min.css"
+        integrity="sha384-QWTKZyjpPEjISv5WaRU9OFeRpok6YctnYmDr5pNlyT2bRjXh0JMhjY6hW+ALEwIH"
+        crossorigin="anonymous" />
+</head>
+
+<body class="bg-body-tertiary">
+    <nav class="navbar navbar-expand-lg bg-white border-bottom shadow-sm">
+        <div class="container">
+            <a class="navbar-brand fw-semibold" href="/Home">WebApp</a>
+            <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#mainNav"
+                aria-controls="mainNav" aria-expanded="false" aria-label="Toggle navigation">
+                <span class="navbar-toggler-icon"></span>
+            </button>
+
+            <div class="collapse navbar-collapse" id="mainNav">
+                <ul class="navbar-nav me-auto mb-2 mb-lg-0">
+                    <li class="nav-item">
+                        <a class="nav-link" href="/">Home</a>
+                    </li>
+                    <li class="nav-item dropdown">
+                        <a class="nav-link dropdown-toggle" href="#" role="button" data-bs-toggle="dropdown"
+                            aria-expanded="false">
+                            Expenses
+                        </a>
+                        <ul class="dropdown-menu">
+                            <li><a class="dropdown-item" href="/Expenses/Create">Create</a></li>
+                            <li><a class="dropdown-item" href="/Expenses/Approve">Approve</a></li>
+                        </ul>
+                    </li>
+                </ul>
+
+                @if (User.Identity?.IsAuthenticated == true)
+                {
+                    <span class="navbar-text me-2 text-primary fw-semibold">@User.Identity.Name</span>
+                    <form method="post" action="/Account/Logout" class="d-flex">
+                        @Html.AntiForgeryToken()
+                        <button type="submit" class="btn btn-outline-danger btn-sm">Logout</button>
+                    </form>
+                }
+            </div>
+        </div>
+    </nav>
+
+    <main class="container py-5">
+        @RenderBody()
+    </main>
+
+    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.bundle.min.js"
+        integrity="sha384-YvpcrYf0tY3lHB60NNkmXc5s9fDVZLESaAA55NDzOxhy9GkcIdslK1eN7N6jIeHz"
+        crossorigin="anonymous"></script>
+</body>
+
+</html>
+
+@using Microsoft.AspNetCore.Identity
+@inject SignInManager<IdentityUser> SignInManager
+@{
+    var isAuthenticated = User.Identity?.IsAuthenticated == true;
+    var userName = User.Identity?.Name;
+
+    if (isAuthenticated)
+    {
+        IdentityUser? knownUser = null;
+
+        if (!string.IsNullOrWhiteSpace(userName))
+        {
+            knownUser = await SignInManager.UserManager.FindByNameAsync(userName);
+        }
+
+        if (knownUser is null)
+        {
+            await SignInManager.SignOutAsync();
+            Context.Response.Redirect("/Account/Login");
+            return;
+        }
+    }
+}
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Shared/_ValidationScriptsPartial.cshtml b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Shared/_ValidationScriptsPartial.cshtml
new file mode 100644
index 0000000..16118f8
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/Shared/_ValidationScriptsPartial.cshtml
@@ -0,0 +1,4 @@
+<script src="https://cdn.jsdelivr.net/npm/jquery@3.7.1/dist/jquery.min.js" integrity="sha384-3gJwYp4gU8fP9v+6v2Yx8RJWb1x1o1t4bm/FvSX8eK3opgVetwYqKqRR3YKHy+XK" crossorigin="anonymous"></script>
+<script src="https://cdn.jsdelivr.net/npm/jquery-validation@1.19.5/dist/jquery.validate.min.js" integrity="sha384-/fIJT0sC3yRyvE4s46HoPazTA/gkGEXUXMaLLq5yRvCNrI6VOGGAaHo9dZYkTf5Z" crossorigin="anonymous"></script>
+<script src="https://cdn.jsdelivr.net/npm/jquery-validation-unobtrusive@4.0.0/dist/jquery.validate.unobtrusive.min.js" integrity="sha384-vU8wPdh9vywgq6Z9erjRzCQXDpUe1koRaSPo6e7i0rGUNShUMHbOWcZH/5LiCFYI" crossorigin="anonymous"></script>
+
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/_Layout.cshtml b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/_Layout.cshtml
new file mode 100644
index 0000000..139597f
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/_Layout.cshtml
@@ -0,0 +1,2 @@
+
+
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/_ViewImports.cshtml b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/_ViewImports.cshtml
new file mode 100644
index 0000000..c6b4f01
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/_ViewImports.cshtml
@@ -0,0 +1,4 @@
+@using WebApp
+@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
+@namespace WebApp.Pages
+
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/_ViewStart.cshtml b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/_ViewStart.cshtml
new file mode 100644
index 0000000..c75368d
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Pages/_ViewStart.cshtml
@@ -0,0 +1,3 @@
+@{
+    Layout = "Shared/_Layout";
+}
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Program.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Program.cs
new file mode 100644
index 0000000..1860e1d
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Program.cs
@@ -0,0 +1,102 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.EntityFrameworkCore;
+using Rsk.AuthZen.Client;
+using WebApp;
+using WebApp.Authorization;
+using WebApp.Domain;
+
+var builder = WebApplication.CreateBuilder(args);
+
+builder.Services.AddDbContext<ApplicationDbContext>(options =>
+    options.UseInMemoryDatabase("AuthZenIdentity"));
+
+builder.Services
+    .AddIdentityApiEndpoints<IdentityUser>(options =>
+    {
+        options.Password.RequireDigit = false;
+        options.Password.RequireLowercase = false;
+        options.Password.RequireUppercase = false;
+        options.Password.RequireNonAlphanumeric = false;
+        options.Password.RequiredLength = 6;
+    })
+    .AddEntityFrameworkStores<ApplicationDbContext>();
+
+builder.Services.AddAuthentication(options =>
+{
+    options.DefaultAuthenticateScheme = IdentityConstants.ApplicationScheme;
+    options.DefaultChallengeScheme = IdentityConstants.ApplicationScheme;
+    options.DefaultSignInScheme = IdentityConstants.ApplicationScheme;
+});
+
+builder.Services.ConfigureApplicationCookie(options =>
+{
+    options.LoginPath = "/Account/Login";
+    options.AccessDeniedPath = "/AccessDenied";
+    options.ReturnUrlParameter = "returnUrl";
+});
+
+builder.Services.AddAuthorization();
+builder.Services.AddRazorPages();
+builder.Services.AddScoped<IManagerLookupService, InMemoryManagerLookupService>();
+builder.Services.AddScoped<IExpenseClaimService, InMemoryExpenseClaimService>();
+builder.Services.AddScoped<IAuthorizeExpenseClaimActions, AuthZenAuthorizeExpenseClaimActions>();
+builder.Services.AddSingleton<IGenerateAccessDeniedContent, InMemoryGeneratedAccessDeniedContent>();
+
+builder.Services.AddHttpClient();
+
+builder.Services.Configure<AuthZenClientOptions>(options =>
+{
+    options.AuthorizationUrl = "https://localhost:7064";
+});
+builder.Services.AddTransient<IAuthZenClient, AuthZenClient>();
+
+var app = builder.Build();
+
+app.UseAuthentication();
+app.UseAuthorization(); 
+
+app.MapGet("/", () => Results.Redirect("/Home"));
+
+app.MapRazorPages();
+app.MapIdentityApi<IdentityUser>();
+
+await SeedUsersAsync(app.Services);
+
+app.Run();
+
+static async Task SeedUsersAsync(IServiceProvider services)
+{
+    using var scope = services.CreateScope();
+    var userManager = scope.ServiceProvider.GetRequiredService<UserManager<IdentityUser>>();
+
+    await EnsureUserAsync(userManager, "alice", "alice@example.local", "Passw0rd!");
+    await EnsureUserAsync(userManager, "bob", "bob@example.local", "Passw0rd!");
+}
+
+static async Task EnsureUserAsync(UserManager<IdentityUser> userManager, string userName, string email, string password)
+{
+    var existing = await userManager.FindByNameAsync(userName);
+    if (existing is not null)
+    {
+        return;
+    }
+
+    var user = new IdentityUser
+    {
+        UserName = userName,
+        Email = email,
+        EmailConfirmed = true,
+        Id = userName
+    };
+
+    
+    var result = await userManager.CreateAsync(user, password);
+    
+    if (!result.Succeeded)
+    {
+        var errors = string.Join(", ", result.Errors.Select(e => e.Description));
+        throw new InvalidOperationException($"Failed to seed user '{userName}': {errors}");
+    }
+    
+}
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Properties/launchSettings.json b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Properties/launchSettings.json
new file mode 100644
index 0000000..3744f5e
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Properties/launchSettings.json
@@ -0,0 +1,23 @@
+{
+  "$schema": "https://json.schemastore.org/launchsettings.json",
+  "profiles": {
+    "http": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "applicationUrl": "http://localhost:5062",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    },
+    "https": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "applicationUrl": "https://localhost:7255;http://localhost:5062",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    }
+  }
+}
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/README.md b/Samples/CSharp/PolicyDrivenExpenses/WebApp/README.md
new file mode 100644
index 0000000..486689f
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/README.md
@@ -0,0 +1,23 @@
+# WebApp
+
+This app uses ASP.NET Core Identity with an in-memory EF Core store and includes a Razor Pages sign-in flow.
+
+## Seeded users
+
+- `alice` / `Passw0rd!`
+- `bob` / `Passw0rd!`
+
+## Run
+
+```zsh
+cd /Users/andyclymer/git/AuthZenExample/WebApp
+dotnet run
+```
+
+Then open the printed local URL and go to `/Account/Login`.
+
+## Notes
+
+- User data is in-memory only; restarting the app resets users and sessions.
+- `/secure` requires authentication.
+
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/WebApp.csproj b/Samples/CSharp/PolicyDrivenExpenses/WebApp/WebApp.csproj
new file mode 100644
index 0000000..a71b3af
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/WebApp.csproj
@@ -0,0 +1,15 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <Nullable>enable</Nullable>
+        <ImplicitUsings>enable</ImplicitUsings>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="10.0.0" />
+        <PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" Version="10.0.0" />
+        <PackageReference Include="Rsk.AuthZen.Client" Version="1.0.0"/>
+    </ItemGroup>
+
+</Project>
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/appsettings.Development.json b/Samples/CSharp/PolicyDrivenExpenses/WebApp/appsettings.Development.json
new file mode 100644
index 0000000..0c208ae
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/appsettings.Development.json
@@ -0,0 +1,8 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  }
+}
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/appsettings.json b/Samples/CSharp/PolicyDrivenExpenses/WebApp/appsettings.json
new file mode 100644
index 0000000..10f68b8
--- /dev/null
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/appsettings.json
@@ -0,0 +1,9 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "AllowedHosts": "*"
+}

From c479a55d0c45bd043684e97baf2d8dc3c51b1bd5 Mon Sep 17 00:00:00 2001
From: andrewclymer <andy@rocksolidknowledge.com>
Date: Fri, 10 Apr 2026 14:37:08 +0100
Subject: [PATCH 2/5] Added location of where to get an Enforcer license key

---
 .../CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Program.cs  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Program.cs b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Program.cs
index 2763256..3ba4562 100644
--- a/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Program.cs
+++ b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Program.cs
@@ -15,7 +15,7 @@ public static void Main(string[] args)
             .AddEnforcer("acmeCorp.global",options =>
             {
                 options.Licensee = "DEMO";
-                options.LicenseKey = "eyJhdXRoIjoiREVNTyIsImV4cCI6IjIwMjYtMDQtMzBUMDA6MDA6MDAiLCJpYXQiOiIyMDI2LTAzLTMwVDExOjUwOjA1LjQxMDU5NTFaIiwib3JnIjoiREVNTyIsImF1ZCI6N30=.mtYt37KGtQFJ5je0XJGckWrOx6lqCF5QwraMPJyGFgzYOq8sAFARoIjCKpJ0JpbpCRbCcaTFFhekfHU6NLvJka/ZzfsOYM4JHBSQpol2Z38PwkR4p8J6ONBi/SYOIvXrTk48Tf09Tvo2WHeoiZ9/MLu4IN7+w8sib0fUdkt/cY1PKHHzofBBHPsOT4/LOyxZoVIFLsINC5IOCkGf1vkmCADVFTszOY5nwUf3CNBs+C6UwfpHnvggnMnZpanW45WoWDDcQHgxwS13LgH6k+0XBUrPdcFhTR9mlSuboDspctvVeNASUBWcSLLdGY7GhK2RAWEAf9bbsTrSHErqIK+gx0XcDaq+n94q/qW3swJGGjUlcj+PaGPhmoEojYfwFWWZU6y4dz45XC941GpsYZEGYSVos5+oJMdreCOZqoPXhjEiqmRDgNT7llQ4bixr9voW3N1WKrfy6Ftr2ZYPv/tSOZb3wofGkpLSpPAw/XiyWUOkIiuVajR9CM8//pWQCOZodL1/xuXlioW8EVECXoGDhreDaGhc5BIEycJC/Fv0rgrnFxrPbStm8z+jmigGhN7G7quXaZr+VHhr+WEgjqbB3MSUhR1f/jwjKtiQMEoU7EDiC9BsNkV+KmGKr+o23HlvM2mwE5/rOa/ORgJ3LZmad2yBi6CYge8lwmSLWABMEmc=";
+                options.LicenseKey = "Get a free license from https://www.identityserver.com/products/enforcer";
             })
             .AddPolicyEnforcementPoint(o => o.Bias = PepBias.Deny)
             .AddAuthZen()

From 9942f3c7a006cd81b3da351cdcb37acfb47c7f32 Mon Sep 17 00:00:00 2001
From: andrewclymer <andy@rocksolidknowledge.com>
Date: Mon, 13 Apr 2026 12:53:54 +0100
Subject: [PATCH 3/5] Fixed comments on PR

---
 .../AuthZenPolicyServer/AuthZenPolicyServer.csproj   |  6 ------
 .../AuthZenPolicyServer/SubjectAttributeProvider.cs  | 12 ++++++++----
 .../AuthZenAuthorizeExpenseClaimActions.cs           |  9 +++++++--
 3 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/AuthZenPolicyServer.csproj b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/AuthZenPolicyServer.csproj
index 92cfa97..4ea04e3 100644
--- a/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/AuthZenPolicyServer.csproj
+++ b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/AuthZenPolicyServer.csproj
@@ -15,10 +15,4 @@
       <None Remove="Policies\expenses.alfa" />
       <EmbeddedResource Include="Policies\expenses.alfa" />
     </ItemGroup>
-
-    <ItemGroup>
-      <Reference Include="Microsoft.AspNetCore">
-        <HintPath>..\..\..\..\..\usr\local\share\dotnet\shared\Microsoft.AspNetCore.App\10.0.3\Microsoft.AspNetCore.dll</HintPath>
-      </Reference>
-    </ItemGroup>
 </Project>
diff --git a/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/SubjectAttributeProvider.cs b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/SubjectAttributeProvider.cs
index 4404532..90f8ef5 100644
--- a/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/SubjectAttributeProvider.cs
+++ b/Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/SubjectAttributeProvider.cs
@@ -17,8 +17,9 @@ public class SubjectAttributeProvider : RecordAttributeValueProvider<AcmeCorpPer
         ["bob"] = new AcmeCorpPerson() { Roles = ["employee"]},
         ["alice"] = new AcmeCorpPerson() { Roles = ["employee","manager"]},
     };
-    
-    protected override async Task<AcmeCorpPerson> GetRecordValue(IAttributeResolver attributeResolver, CancellationToken ct)
+
+    protected override async Task<AcmeCorpPerson> GetRecordValue(IAttributeResolver attributeResolver,
+        CancellationToken ct)
     {
         IReadOnlyCollection<string>? identifiers = await attributeResolver
             .Resolve<string>(Rsk.Enforcer.Oasis.Attributes.Subject.Identifier, ct);
@@ -26,8 +27,11 @@ protected override async Task<AcmeCorpPerson> GetRecordValue(IAttributeResolver
         string? identifier = identifiers.SingleOrDefault();
         if (identifier == null) return null!;
 
-        AcmeCorpPerson person = new AcmeCorpPerson();
+        if (people.TryGetValue(identifier, out AcmeCorpPerson? person))
+        {
+            return person;
+        }
 
-        return people[identifier];
+        return null!;
     }
 }
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/AuthZenAuthorizeExpenseClaimActions.cs b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/AuthZenAuthorizeExpenseClaimActions.cs
index 5182c1e..86a1d1b 100644
--- a/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/AuthZenAuthorizeExpenseClaimActions.cs
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/Authorization/AuthZenAuthorizeExpenseClaimActions.cs
@@ -97,8 +97,13 @@ private async Task<AuthorizeResult> Authorize(AuthZenEvaluationRequest request)
 
         if (success == false)
         {
-            string? error = 
-                JsonSerializer.Deserialize<JsonElement>(response.Context).GetProperty("error").GetString();
+            string? error = null;
+
+            if (JsonSerializer.Deserialize<JsonElement>(response.Context)
+                .TryGetProperty("error", out JsonElement errorProperty))
+            {
+                error = errorProperty.GetString();
+            }
 
             return new AuthorizeResult(false, [error ?? String.Empty]);
         }

From 5ae785d8fefeb2e500fe7ff8687e03c9b5685504 Mon Sep 17 00:00:00 2001
From: andrewclymer <andy@rocksolidknowledge.com>
Date: Tue, 14 Apr 2026 11:25:56 +0100
Subject: [PATCH 4/5] Updated readme

---
 Samples/CSharp/PolicyDrivenExpenses/WebApp/README.md | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/Samples/CSharp/PolicyDrivenExpenses/WebApp/README.md b/Samples/CSharp/PolicyDrivenExpenses/WebApp/README.md
index 486689f..47d66bc 100644
--- a/Samples/CSharp/PolicyDrivenExpenses/WebApp/README.md
+++ b/Samples/CSharp/PolicyDrivenExpenses/WebApp/README.md
@@ -10,14 +10,11 @@ This app uses ASP.NET Core Identity with an in-memory EF Core store and includes
 ## Run
 
 ```zsh
-cd /Users/andyclymer/git/AuthZenExample/WebApp
 dotnet run
 ```
 
-Then open the printed local URL and go to `/Account/Login`.
+Then and open  https://localhost:7255
 
 ## Notes
-
 - User data is in-memory only; restarting the app resets users and sessions.
-- `/secure` requires authentication.
 

From 5046269235d3ef38c385031993c7380277cee2f3 Mon Sep 17 00:00:00 2001
From: andrewclymer <andy@rocksolidknowledge.com>
Date: Tue, 14 Apr 2026 17:59:09 +0100
Subject: [PATCH 5/5] Removing unneccessary files

---
 .gitignore                                       |  6 ++----
 .../.idea.PolicyDrivenExpenses/.idea/.gitignore  | 15 ---------------
 .../.idea/copilot.data.migration.agent.xml       |  6 ------
 .../.idea/copilot.data.migration.ask.xml         |  6 ------
 .../.idea/copilot.data.migration.ask2agent.xml   |  6 ------
 .../.idea/copilot.data.migration.edit.xml        |  6 ------
 .../.idea/encodings.xml                          |  4 ----
 .../.idea/indexLayout.xml                        |  8 --------
 .../.idea.PolicyDrivenExpenses/.idea/vcs.xml     |  7 -------
 .../PolicyDrivenExpenses.sln.DotSettings.user    | 16 ----------------
 10 files changed, 2 insertions(+), 78 deletions(-)
 delete mode 100644 Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/.gitignore
 delete mode 100644 Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.agent.xml
 delete mode 100644 Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.ask.xml
 delete mode 100644 Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.ask2agent.xml
 delete mode 100644 Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.edit.xml
 delete mode 100644 Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/encodings.xml
 delete mode 100644 Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/indexLayout.xml
 delete mode 100644 Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/vcs.xml
 delete mode 100644 Samples/CSharp/PolicyDrivenExpenses/PolicyDrivenExpenses.sln.DotSettings.user

diff --git a/.gitignore b/.gitignore
index ca8de4d..41e5106 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,9 +5,7 @@ riderModule.iml
 /_ReSharper.Caches/
 **/.DS_Store
 
-src/CSharp/.idea/.idea.Rsk.AuthZen/.idea/
-
+.idea
+*.DotSettings.user
 src/Typescript/dist/
 src/Typescript/node_modules
-
-src/CSharp/.idea/
diff --git a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/.gitignore b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/.gitignore
deleted file mode 100644
index a3db6dc..0000000
--- a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/.gitignore
+++ /dev/null
@@ -1,15 +0,0 @@
-# Default ignored files
-/shelf/
-/workspace.xml
-# Rider ignored files
-/.idea.AuthZenExample.iml
-/modules.xml
-/projectSettingsUpdater.xml
-/contentModel.xml
-# Ignored default folder with query files
-/queries/
-# Datasource local storage ignored files
-/dataSources/
-/dataSources.local.xml
-# Editor-based HTTP Client requests
-/httpRequests/
diff --git a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.agent.xml b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.agent.xml
deleted file mode 100644
index 4ea72a9..0000000
--- a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.agent.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="AgentMigrationStateService">
-    <option name="migrationStatus" value="COMPLETED" />
-  </component>
-</project>
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.ask.xml b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.ask.xml
deleted file mode 100644
index 7ef04e2..0000000
--- a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.ask.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="AskMigrationStateService">
-    <option name="migrationStatus" value="COMPLETED" />
-  </component>
-</project>
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.ask2agent.xml b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.ask2agent.xml
deleted file mode 100644
index 1f2ea11..0000000
--- a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.ask2agent.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="Ask2AgentMigrationStateService">
-    <option name="migrationStatus" value="COMPLETED" />
-  </component>
-</project>
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.edit.xml b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.edit.xml
deleted file mode 100644
index 8648f94..0000000
--- a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/copilot.data.migration.edit.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="EditMigrationStateService">
-    <option name="migrationStatus" value="COMPLETED" />
-  </component>
-</project>
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/encodings.xml b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/encodings.xml
deleted file mode 100644
index df87cf9..0000000
--- a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/encodings.xml
+++ /dev/null
@@ -1,4 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="Encoding" addBOMForNewFiles="with BOM under Windows, with no BOM otherwise" />
-</project>
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/indexLayout.xml b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/indexLayout.xml
deleted file mode 100644
index 7b08163..0000000
--- a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/indexLayout.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="UserContentModel">
-    <attachedFolders />
-    <explicitIncludes />
-    <explicitExcludes />
-  </component>
-</project>
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/vcs.xml b/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/vcs.xml
deleted file mode 100644
index ba43f69..0000000
--- a/Samples/CSharp/PolicyDrivenExpenses/.idea/.idea.PolicyDrivenExpenses/.idea/vcs.xml
+++ /dev/null
@@ -1,7 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="VcsDirectoryMappings">
-    <mapping directory="$PROJECT_DIR$/../../.." vcs="Git" />
-    <mapping directory="$PROJECT_DIR$" vcs="Git" />
-  </component>
-</project>
\ No newline at end of file
diff --git a/Samples/CSharp/PolicyDrivenExpenses/PolicyDrivenExpenses.sln.DotSettings.user b/Samples/CSharp/PolicyDrivenExpenses/PolicyDrivenExpenses.sln.DotSettings.user
deleted file mode 100644
index 0f4cf32..0000000
--- a/Samples/CSharp/PolicyDrivenExpenses/PolicyDrivenExpenses.sln.DotSettings.user
+++ /dev/null
@@ -1,16 +0,0 @@
-<wpf:ResourceDictionary xml:space="preserve" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:s="clr-namespace:System;assembly=mscorlib" xmlns:ss="urn:shemas-jetbrains-com:settings-storage-xaml" xmlns:wpf="http://schemas.microsoft.com/winfx/2006/xaml/presentation">
-	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AAttributes_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F6e7f37fa046647d794d2fdfbaeb8d056bd000_003F2a_003F0bdaf15a_003FAttributes_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
-	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AAuthorizationEndpointConventionBuilderExtensions_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F529ca7af3db74d77551539ac0655ebf6c535c3725adad6808a78956de9b481_003FAuthorizationEndpointConventionBuilderExtensions_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
-	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AAuthZenBoxcarEvaluationRequest_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F8d165ad7a13142acbb9444f9a241cd787400_003Fe3_003Ff503e3b5_003FAuthZenBoxcarEvaluationRequest_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
-	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AAuthZenEvaluationRequest_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F8d165ad7a13142acbb9444f9a241cd787400_003F8a_003F3a0a9377_003FAuthZenEvaluationRequest_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
-	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AAuthZenSingleRequestBuilder_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F8d165ad7a13142acbb9444f9a241cd787400_003F59_003Feca0bbe2_003FAuthZenSingleRequestBuilder_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
-	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AConfiguredCancelableAsyncEnumerable_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F503ce811ad4e9dc1af2f941b2176a3fd92d0d86e67193e3974e638a4ca3f69f_003FConfiguredCancelableAsyncEnumerable_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
-	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ADebugger_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Ff9d2f95d72fa884d8b6ddefc717c56da3657fbb2d5fb683656c3589eb6587_003FDebugger_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
-	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AFileSystemPolicyStore_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F6e7f37fa046647d794d2fdfbaeb8d056bd000_003F06_003F46a4719a_003FFileSystemPolicyStore_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
-	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AIAuthZenPropertyBag_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F8d165ad7a13142acbb9444f9a241cd787400_003Fa4_003F397a31d0_003FIAuthZenPropertyBag_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
-	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AIdentityConstants_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F7dbdfb636eaf239e236f25602a4737bcea35d9853112016a49f55f460186b_003FIdentityConstants_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
-	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AIPolicyStore_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F6e7f37fa046647d794d2fdfbaeb8d056bd000_003Fe4_003F03d98093_003FIPolicyStore_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
-	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AJsonElement_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F579deeb0a45a829a4e9f827e296d7f339cefa86c77069fa79a05cd9546833_003FJsonElement_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
-	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AMonitor_002ECoreCLR_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fbc69852c736be69a33ab75e0444246ffeb2f8cd671d12b36b764ba5fa18f61ba_003FMonitor_002ECoreCLR_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
-	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ARecordAttributeValueProvider_00601_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F6e7f37fa046647d794d2fdfbaeb8d056bd000_003Fb9_003F273d8668_003FRecordAttributeValueProvider_00601_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
-	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ATaskAsyncEnumerableExtensions_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fa446e9d9adcc13b7b2443f91d56768d4201fe33d52acfb68f34d94298a1d3_003FTaskAsyncEnumerableExtensions_002Ecs/@EntryIndexedValue">ForceIncluded</s:String></wpf:ResourceDictionary>
\ No newline at end of file