decision
Module: enforcement::decision
Section titled “Module: enforcement::decision”Contents
Section titled “Contents”Structs
DenyIdentity- Verified agent/token attribution carried by a [EnforcementDecision::Deny]
Enums
CapabilityValidationStage- Sub-stages within Stage 1 (Capability Validation).ConstraintEnforcementStage- Sub-stages within Stage 2 (Constraint Enforcement Engine).EnforcementDecision- Unified result of the enforcement pipeline.EnforcementStage- Identifies which pipeline stage produced a decision.
firma_sidecar::enforcement::decision::CapabilityValidationStage
Section titled “firma_sidecar::enforcement::decision::CapabilityValidationStage”Enum
Sub-stages within Stage 1 (Capability Validation).
Variants:
TokenSelection- Token selection from the capability map.TokenValidation- Token validation — parse, signature verify, expiry, revocation.
Traits: Eq, Copy
Trait Implementations:
- Clone
fn clone(self: &Self) -> CapabilityValidationStage
- Debug
fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
- PartialEq
fn eq(self: &Self, other: &CapabilityValidationStage) -> bool
firma_sidecar::enforcement::decision::ConstraintEnforcementStage
Section titled “firma_sidecar::enforcement::decision::ConstraintEnforcementStage”Enum
Sub-stages within Stage 2 (Constraint Enforcement Engine).
Variants:
ScopeCheck- Scope check — action class within token’s allowed set.BundleFreshness- Policy bundle freshness check.PolicyEvaluation- Cedar policy evaluation.
Traits: Eq, Copy
Trait Implementations:
- Clone
fn clone(self: &Self) -> ConstraintEnforcementStage
- Debug
fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
- PartialEq
fn eq(self: &Self, other: &ConstraintEnforcementStage) -> bool
firma_sidecar::enforcement::decision::DenyIdentity
Section titled “firma_sidecar::enforcement::decision::DenyIdentity”Struct
Verified agent/token attribution carried by a [EnforcementDecision::Deny]
raised after capability validation.
The enforcement pipeline discards the validated CapabilityClaims on the
denial path, so without this the audit record for a Stage-2 (policy) or
credential-injection denial has empty agent_id/token_id. That made
firma monitor --agent <id> drop every deny while keeping allows — the
gap reported in FIR-208.
Fields:
token_id: String- Verified token id.agent_id: String- Verified agent id.context_hash: String- Context hash bound to the verified capability.
Methods:
fn from_claims(claims: &CapabilityClaims) -> Self- Builds a [DenyIdentity] from verified capability claims.
Traits: Eq
Trait Implementations:
- Clone
fn clone(self: &Self) -> DenyIdentity
- PartialEq
fn eq(self: &Self, other: &DenyIdentity) -> bool
- Debug
fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
firma_sidecar::enforcement::decision::EnforcementDecision
Section titled “firma_sidecar::enforcement::decision::EnforcementDecision”Enum
Unified result of the enforcement pipeline.
Every enforce() call produces exactly one of these. Carries enough
information for the caller to construct the response, emit audit events,
and proceed with credential injection on ALLOW, or forward the request
unmodified on PASSTHROUGH.
Variants:
Allow{ claims: firma_core::CapabilityClaims, envelope: Box<firma_core::ExecutionEnvelope>, credentials: firma_core::InjectedCredentials }- Request authorized. Proceed to connector dispatch.Deny{ reason: firma_core::DenyReason, stage: EnforcementStage, detail: String, envelope: Option<crate::normalizer::NormalizedEnvelope>, identity: Option<DenyIdentity> }- Request denied. Return structured denial to agent.Abort{ reason: firma_core::AbortReason, detail: String, identity: Option<DenyIdentity> }- Request was authorized, then aborted before completion.Passthrough{ detail: String }- Non-protected traffic. Forward the request without enforcement.Modify{ claims: firma_core::CapabilityClaims, envelope: Box<firma_core::ExecutionEnvelope>, modifications: firma_core::ModificationSpec, credentials: firma_core::InjectedCredentials }- AARM R4MODIFY: the request is authorized but a transformation mustStepUp{ claims: Option<firma_core::CapabilityClaims>, envelope: Option<crate::normalizer::NormalizedEnvelope>, challenge: String, retry_after_ms: u64, identity: Option<DenyIdentity> }- AARM R4STEP_UP: the request is blocked pending human approval orDefer{ claims: Option<firma_core::CapabilityClaims>, envelope: Option<crate::normalizer::NormalizedEnvelope>, retry_after_ms: u64, identity: Option<DenyIdentity> }- AARM R4DEFER: the request is blocked and should be retried after
Methods:
fn with_identity(self: Self, identity: DenyIdentity) -> Self- Attaches verified [DenyIdentity] to a decision that carries anfn step_up_pending_hitl(approval_token: Option<String>, retry_after_ms: Option<u64>) -> Self- Bridge the local-exec HITL pending outcome onto the unifiedfn is_allow(self: &Self) -> boolfn is_deny(self: &Self) -> boolfn is_abort(self: &Self) -> boolfn is_passthrough(self: &Self) -> boolfn is_modify(self: &Self) -> bool-truefor the AARM R4MODIFYdecision.fn is_step_up(self: &Self) -> bool-truefor the AARM R4STEP_UPdecision.fn is_defer(self: &Self) -> bool-truefor the AARM R4DEFERdecision.fn deny_reason(self: &Self) -> Option<DenyReason>fn stage(self: &Self) -> Option<EnforcementStage>
Trait Implementations:
- Debug
fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
firma_sidecar::enforcement::decision::EnforcementStage
Section titled “firma_sidecar::enforcement::decision::EnforcementStage”Enum
Identifies which pipeline stage produced a decision.
Variants:
Normalization- Intent normalization — raw request → canonicalExecutionEnvelope.CapabilityValidation(CapabilityValidationStage)- Stage 1: Capability Validation.ConstraintEnforcement(ConstraintEnforcementStage)- Stage 2: Constraint Enforcement Engine (CEE).CredentialInjection- Credential injection — post-enforcement credential fetch failed.
Traits: Eq, Copy
Trait Implementations:
- Debug
fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
- PartialEq
fn eq(self: &Self, other: &EnforcementStage) -> bool
- Clone
fn clone(self: &Self) -> EnforcementStage