Skip to content

decision

Structs

  • DenyIdentity - Verified agent/token attribution carried by a [EnforcementDecision::Deny]

Enums


firma_sidecar::enforcement::decision::CapabilityValidationStage

Section titled “firma_sidecar::enforcement::decision::CapabilityValidationStage”

Enum

Sub-stages within Stage 1 (Capability Validation).

Variants:

  • TokenSelection - Token selection from the capability map.
  • TokenValidation - Token validation — parse, signature verify, expiry, revocation.

Traits: Eq, Copy

Trait Implementations:

  • Clone
    • fn clone(self: &Self) -> CapabilityValidationStage
  • Debug
    • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
  • PartialEq
    • fn eq(self: &Self, other: &CapabilityValidationStage) -> bool

firma_sidecar::enforcement::decision::ConstraintEnforcementStage

Section titled “firma_sidecar::enforcement::decision::ConstraintEnforcementStage”

Enum

Sub-stages within Stage 2 (Constraint Enforcement Engine).

Variants:

  • ScopeCheck - Scope check — action class within token’s allowed set.
  • BundleFreshness - Policy bundle freshness check.
  • PolicyEvaluation - Cedar policy evaluation.

Traits: Eq, Copy

Trait Implementations:

  • Clone
    • fn clone(self: &Self) -> ConstraintEnforcementStage
  • Debug
    • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
  • PartialEq
    • fn eq(self: &Self, other: &ConstraintEnforcementStage) -> bool

firma_sidecar::enforcement::decision::DenyIdentity

Section titled “firma_sidecar::enforcement::decision::DenyIdentity”

Struct

Verified agent/token attribution carried by a [EnforcementDecision::Deny] raised after capability validation.

The enforcement pipeline discards the validated CapabilityClaims on the denial path, so without this the audit record for a Stage-2 (policy) or credential-injection denial has empty agent_id/token_id. That made firma monitor --agent <id> drop every deny while keeping allows — the gap reported in FIR-208.

Fields:

  • token_id: String - Verified token id.
  • agent_id: String - Verified agent id.
  • context_hash: String - Context hash bound to the verified capability.

Methods:

  • fn from_claims(claims: &CapabilityClaims) -> Self - Builds a [DenyIdentity] from verified capability claims.

Traits: Eq

Trait Implementations:

  • Clone
    • fn clone(self: &Self) -> DenyIdentity
  • PartialEq
    • fn eq(self: &Self, other: &DenyIdentity) -> bool
  • Debug
    • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result

firma_sidecar::enforcement::decision::EnforcementDecision

Section titled “firma_sidecar::enforcement::decision::EnforcementDecision”

Enum

Unified result of the enforcement pipeline.

Every enforce() call produces exactly one of these. Carries enough information for the caller to construct the response, emit audit events, and proceed with credential injection on ALLOW, or forward the request unmodified on PASSTHROUGH.

Variants:

  • Allow{ claims: firma_core::CapabilityClaims, envelope: Box<firma_core::ExecutionEnvelope>, credentials: firma_core::InjectedCredentials } - Request authorized. Proceed to connector dispatch.
  • Deny{ reason: firma_core::DenyReason, stage: EnforcementStage, detail: String, envelope: Option<crate::normalizer::NormalizedEnvelope>, identity: Option<DenyIdentity> } - Request denied. Return structured denial to agent.
  • Abort{ reason: firma_core::AbortReason, detail: String, identity: Option<DenyIdentity> } - Request was authorized, then aborted before completion.
  • Passthrough{ detail: String } - Non-protected traffic. Forward the request without enforcement.
  • Modify{ claims: firma_core::CapabilityClaims, envelope: Box<firma_core::ExecutionEnvelope>, modifications: firma_core::ModificationSpec, credentials: firma_core::InjectedCredentials } - AARM R4 MODIFY: the request is authorized but a transformation must
  • StepUp{ claims: Option<firma_core::CapabilityClaims>, envelope: Option<crate::normalizer::NormalizedEnvelope>, challenge: String, retry_after_ms: u64, identity: Option<DenyIdentity> } - AARM R4 STEP_UP: the request is blocked pending human approval or
  • Defer{ claims: Option<firma_core::CapabilityClaims>, envelope: Option<crate::normalizer::NormalizedEnvelope>, retry_after_ms: u64, identity: Option<DenyIdentity> } - AARM R4 DEFER: the request is blocked and should be retried after

Methods:

  • fn with_identity(self: Self, identity: DenyIdentity) -> Self - Attaches verified [DenyIdentity] to a decision that carries an
  • fn step_up_pending_hitl(approval_token: Option<String>, retry_after_ms: Option<u64>) -> Self - Bridge the local-exec HITL pending outcome onto the unified
  • fn is_allow(self: &Self) -> bool
  • fn is_deny(self: &Self) -> bool
  • fn is_abort(self: &Self) -> bool
  • fn is_passthrough(self: &Self) -> bool
  • fn is_modify(self: &Self) -> bool - true for the AARM R4 MODIFY decision.
  • fn is_step_up(self: &Self) -> bool - true for the AARM R4 STEP_UP decision.
  • fn is_defer(self: &Self) -> bool - true for the AARM R4 DEFER decision.
  • fn deny_reason(self: &Self) -> Option<DenyReason>
  • fn stage(self: &Self) -> Option<EnforcementStage>

Trait Implementations:

  • Debug
    • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result

firma_sidecar::enforcement::decision::EnforcementStage

Section titled “firma_sidecar::enforcement::decision::EnforcementStage”

Enum

Identifies which pipeline stage produced a decision.

Variants:

  • Normalization - Intent normalization — raw request → canonical ExecutionEnvelope.
  • CapabilityValidation(CapabilityValidationStage) - Stage 1: Capability Validation.
  • ConstraintEnforcement(ConstraintEnforcementStage) - Stage 2: Constraint Enforcement Engine (CEE).
  • CredentialInjection - Credential injection — post-enforcement credential fetch failed.

Traits: Eq, Copy

Trait Implementations:

  • Debug
    • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
  • PartialEq
    • fn eq(self: &Self, other: &EnforcementStage) -> bool
  • Clone
    • fn clone(self: &Self) -> EnforcementStage