constraint_enforcement

Module: enforcement::constraint_enforcement

Contents

Structs

• ConstraintEnforcer - Stage 2: Constraint Enforcement Engine (CEE).

Traits

• PolicyEvaluation - Trait for policy evaluation — abstracts Cedar or any other policy engine.

---

firma_sidecar::enforcement::constraint_enforcement::ConstraintEnforcer

Struct

Stage 2: Constraint Enforcement Engine (CEE).

Performs scope check (action within token’s allowed set), builds the Cedar evaluation context, and evaluates policies. Fully local.

Target: < 200us p95.

Methods:

• fn new(policy: Arc<dyn PolicyEvaluation>) -> Self
• fn policy_version(self: &Self) -> Option<String> - Return the active policy bundle version, if one has been installed.
• fn evaluate(self: &Self, envelope: &NormalizedEnvelope, claims: &CapabilityClaims, signals: &RuntimeSignals) -> Result<(), EnforcementDecision> - Evaluate the request against Cedar policies.
• fn evaluate_with_timeout(self: &Self, envelope: &NormalizedEnvelope, claims: &CapabilityClaims, signals: &RuntimeSignals, timeout: Duration) -> Result<(), EnforcementDecision> - Timeout-aware Stage 2 evaluation.

firma_sidecar::enforcement::constraint_enforcement::PolicyEvaluation

Trait

Trait for policy evaluation — abstracts Cedar or any other policy engine.

The sidecar uses this trait rather than firma-core’s PolicyEvaluator because it needs a richer context (three-layer attributes). The concrete Cedar implementation will be provided when unit 003 is built.

Methods:

• evaluate: Evaluate policy against the given context attributes.
• is_fresh: Check if the policy bundle is still fresh (TTL not expired).
• is_available: Check if a policy bundle is currently available.
• version: Get the current policy bundle version.