decision
Module: enforcement::decision
Section titled “Module: enforcement::decision”Contents
Section titled “Contents”Enums
CapabilityValidationStage- Sub-stages within Stage 1 (Capability Validation).ConstraintEnforcementStage- Sub-stages within Stage 2 (Constraint Enforcement Engine).EnforcementDecision- Unified result of the enforcement pipeline.EnforcementStage- Identifies which pipeline stage produced a decision.
firma_sidecar::enforcement::decision::CapabilityValidationStage
Section titled “firma_sidecar::enforcement::decision::CapabilityValidationStage”Enum
Sub-stages within Stage 1 (Capability Validation).
Variants:
TokenSelection- Token selection from the capability map.TokenValidation- Token validation — parse, signature verify, expiry, revocation.
Traits: Eq, Copy
Trait Implementations:
- Debug
fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
- PartialEq
fn eq(self: &Self, other: &CapabilityValidationStage) -> bool
- Clone
fn clone(self: &Self) -> CapabilityValidationStage
firma_sidecar::enforcement::decision::ConstraintEnforcementStage
Section titled “firma_sidecar::enforcement::decision::ConstraintEnforcementStage”Enum
Sub-stages within Stage 2 (Constraint Enforcement Engine).
Variants:
ScopeCheck- Scope check — action class within token’s allowed set.BundleFreshness- Policy bundle freshness check.PolicyEvaluation- Cedar policy evaluation.
Traits: Copy, Eq
Trait Implementations:
- Debug
fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
- PartialEq
fn eq(self: &Self, other: &ConstraintEnforcementStage) -> bool
- Clone
fn clone(self: &Self) -> ConstraintEnforcementStage
firma_sidecar::enforcement::decision::EnforcementDecision
Section titled “firma_sidecar::enforcement::decision::EnforcementDecision”Enum
Unified result of the enforcement pipeline.
Every enforce() call produces exactly one of these. Carries enough
information for the caller to construct the response, emit audit events,
and proceed with credential injection on ALLOW, or forward the request
unmodified on PASSTHROUGH.
Variants:
Allow{ claims: firma_core::CapabilityClaims, envelope: Box<firma_core::ExecutionEnvelope>, credentials: firma_core::InjectedCredentials }- Request authorized. Proceed to connector dispatch.Deny{ reason: firma_core::DenyReason, stage: EnforcementStage, detail: String, envelope: Option<crate::normalizer::NormalizedEnvelope> }- Request denied. Return structured denial to agent.Passthrough{ detail: String }- Non-protected traffic. Forward the request without enforcement.
Methods:
fn is_allow(self: &Self) -> boolfn is_deny(self: &Self) -> boolfn is_passthrough(self: &Self) -> boolfn deny_reason(self: &Self) -> Option<DenyReason>fn stage(self: &Self) -> Option<EnforcementStage>
Trait Implementations:
- Debug
fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
firma_sidecar::enforcement::decision::EnforcementStage
Section titled “firma_sidecar::enforcement::decision::EnforcementStage”Enum
Identifies which pipeline stage produced a decision.
Variants:
Normalization- Intent normalization — raw request → canonicalExecutionEnvelope.CapabilityValidation(CapabilityValidationStage)- Stage 1: Capability Validation.ConstraintEnforcement(ConstraintEnforcementStage)- Stage 2: Constraint Enforcement Engine (CEE).CredentialInjection- Credential injection — post-enforcement credential fetch failed.
Traits: Eq, Copy
Trait Implementations:
- PartialEq
fn eq(self: &Self, other: &EnforcementStage) -> bool
- Clone
fn clone(self: &Self) -> EnforcementStage
- Debug
fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result