constraint_enforcement
Module: enforcement::constraint_enforcement
Section titled “Module: enforcement::constraint_enforcement”Contents
Section titled “Contents”Structs
ConstraintEnforcer- Stage 2: Constraint Enforcement Engine (CEE).
Enums
PolicyVerdict- The verdict a policy engine returns for one evaluated action.
Traits
PolicyEvaluation- Trait for policy evaluation — abstracts Cedar or any other policy engine.
firma_sidecar::enforcement::constraint_enforcement::ConstraintEnforcer
Section titled “firma_sidecar::enforcement::constraint_enforcement::ConstraintEnforcer”Struct
Stage 2: Constraint Enforcement Engine (CEE).
Performs scope check (action within token’s allowed set), builds the Cedar evaluation context, and evaluates policies. Fully local.
Target: < 200us p95.
Methods:
fn new(policy: Arc<dyn PolicyEvaluation>) -> Selffn policy_version(self: &Self) -> Option<String>- Return the active policy bundle version, if one has been installed.fn evaluate(self: &Self, envelope: &NormalizedEnvelope, claims: &CapabilityClaims, signals: &RuntimeSignals) -> Result<PolicyVerdict, EnforcementDecision>- Evaluate the request against Cedar policies.fn evaluate_with_timeout(self: &Self, envelope: &NormalizedEnvelope, claims: &CapabilityClaims, signals: &RuntimeSignals, timeout: Duration) -> Result<PolicyVerdict, EnforcementDecision>- Timeout-aware Stage 2 evaluation.
firma_sidecar::enforcement::constraint_enforcement::PolicyEvaluation
Section titled “firma_sidecar::enforcement::constraint_enforcement::PolicyEvaluation”Trait
Trait for policy evaluation — abstracts Cedar or any other policy engine.
The sidecar uses this trait rather than firma-core’s PolicyEvaluator
because it needs a richer context (three-layer attributes). The concrete
Cedar implementation will be provided when unit 003 is built.
Methods:
evaluate: Evaluate policy against the given context attributes.evaluate_verdict: Evaluate policy and return the full AARM R4 verdict, includingis_fresh: Check if the policy bundle is still fresh (TTL not expired).is_available: Check if a policy bundle is currently available.version: Get the current policy bundle version.
firma_sidecar::enforcement::constraint_enforcement::PolicyVerdict
Section titled “firma_sidecar::enforcement::constraint_enforcement::PolicyVerdict”Enum
The verdict a policy engine returns for one evaluated action.
Cedar natively produces only Allow/Deny. The three remediation
variants (Modify, StepUp, Defer) are sourced from @modify /
@step_up / @defer annotations on forbid policies — see
CedarPolicyEvaluator.
This is the AARM R4 five-decision set at the engine layer; the pipeline
lifts it into [EnforcementDecision].
Variants:
Allow- Request authorized. Proceed to envelope assembly + dispatch.Deny- Request denied by policy. Mapped to a hardModify{ modifications: firma_core::ModificationSpec }- AARM R4MODIFY: execute a transformed version.modificationsStepUp{ challenge: firma_core::StepUpSpec }- AARM R4STEP_UP: require human approval / stronger authn beforeDefer{ backoff: std::time::Duration }- AARM R4DEFER: delay execution pending additional context or
Traits: Eq
Trait Implementations:
- Clone
fn clone(self: &Self) -> PolicyVerdict
- PartialEq
fn eq(self: &Self, other: &PolicyVerdict) -> bool
- Debug
fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result