policy

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 30, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Index

Constants

View Source 
const DefaultPollInterval = 2 * time.Second

DefaultPollInterval is how often the watcher checks for policy file changes. TODO(perf): Replace polling with fsnotify for instant reload and zero CPU overhead. Polling at DefaultPollInterval is acceptable for single-file watching but won't scale to directory watching.

Variables

This section is empty.

Functions

This section is empty.

Types

type ActionRequest 

type ActionRequest struct {
	Scope     string            `json:"scope"`
	Action    string            `json:"action,omitempty"`
	Command   string            `json:"command,omitempty"`
	Path      string            `json:"path,omitempty"`
	Domain    string            `json:"domain,omitempty"`
	URL       string            `json:"url,omitempty"`
	AgentID   string            `json:"agent_id,omitempty"`
	SessionID string            `json:"session_id,omitempty"`
	EstCost   float64           `json:"est_cost,omitempty"`
	Meta      map[string]string `json:"meta,omitempty"`
}

ActionRequest represents an agent's intended action.

type AgentCfg 

type AgentCfg struct {
	Extends  string    `yaml:"extends"`
	Override []RuleSet `yaml:"override,omitempty"`
}

AgentCfg defines per-agent policy overrides.

type CheckResult 

type CheckResult struct {
	Decision    Decision `json:"decision"`
	Reason      string   `json:"reason"`
	Rule        string   `json:"matched_rule,omitempty"`
	ApprovalID  string   `json:"approval_id,omitempty"`
	ApprovalURL string   `json:"approval_url,omitempty"`
}

CheckResult is the response returned after evaluating an action against policy.

type Condition 

type Condition struct {
	RequirePrior string `yaml:"require_prior,omitempty"`
	TimeWindow   string `yaml:"time_window,omitempty"`
}

Condition is a contextual constraint on a rule.

type CostLimits 

type CostLimits struct {
	MaxPerAction   string `yaml:"max_per_action,omitempty"`
	MaxPerSession  string `yaml:"max_per_session,omitempty"`
	AlertThreshold string `yaml:"alert_threshold,omitempty"`
}

CostLimits defines cost guardrails for a scope.

type Decision 

type Decision string

Decision represents the outcome of a policy check. 

const (
	Allow           Decision = "ALLOW"
	Deny            Decision = "DENY"
	RequireApproval Decision = "REQUIRE_APPROVAL"
)

type Engine 

type Engine struct {
	// contains filtered or unexported fields
}

Engine evaluates actions against a policy.

func NewEngine 

func NewEngine(pol *Policy) *Engine

NewEngine creates a policy engine with the given policy.

func (*Engine) Check 

func (e *Engine) Check(req ActionRequest) CheckResult

Check evaluates an action request against the active policy. Order: deny rules -> require_approval rules -> allow rules -> default deny. Per-agent overrides are applied when AgentID matches a key in policy.Agents.

func (*Engine) Policy 

func (e *Engine) Policy() *Policy

Policy returns the currently active policy (thread-safe).

func (*Engine) RateLimitConfig 

func (e *Engine) RateLimitConfig(scope, agentID string) *RateLimitCfg

RateLimitConfig returns the rate limit config for a given scope, considering per-agent overrides. Returns nil if no rate limit is configured.

func (*Engine) UpdatePolicy 

func (e *Engine) UpdatePolicy(pol *Policy)

UpdatePolicy hot-swaps the active policy.

type FileWatcher 

type FileWatcher struct {
	// contains filtered or unexported fields
}

FileWatcher watches a policy file for changes and triggers a callback.

func WatchFile 

func WatchFile(path string, callback func(*Policy)) (*FileWatcher, error)

WatchFile starts watching a policy file for changes.

func (*FileWatcher) Close 

func (w *FileWatcher) Close()

Close stops the file watcher.

type NotificationCfg 

type NotificationCfg struct {
	ApprovalRequired []NotifyTarget `yaml:"approval_required,omitempty"`
	OnDeny           []NotifyTarget `yaml:"on_deny,omitempty"`
}

NotificationCfg defines where to send alerts.

type NotifyTarget 

type NotifyTarget struct {
	Type  string `yaml:"type"` // "webhook", "slack", "console", "log"
	URL   string `yaml:"url,omitempty"`
	Level string `yaml:"level,omitempty"`
}

NotifyTarget is a notification destination.

type Policy 

type Policy struct {
	Version       string              `yaml:"version"`
	Name          string              `yaml:"name"`
	Description   string              `yaml:"description"`
	Rules         []RuleSet           `yaml:"rules"`
	Agents        map[string]AgentCfg `yaml:"agents,omitempty"`
	Notifications NotificationCfg     `yaml:"notifications,omitempty"`
}

Policy is the top-level policy document.

func LoadFromFile 

func LoadFromFile(path string) (*Policy, error)

LoadFromFile reads and parses a policy YAML file.

func (*Policy) RuleCount 

func (p *Policy) RuleCount() int

RuleCount returns the total number of individual rules.

func (*Policy) ScopeCount 

func (p *Policy) ScopeCount() int

ScopeCount returns the number of unique scopes.

type RateLimitCfg 

type RateLimitCfg struct {
	MaxRequests int    `yaml:"max_requests"`
	Window      string `yaml:"window"`
}

RateLimitCfg defines rate limiting parameters.

type Rule 

type Rule struct {
	Action     string      `yaml:"action,omitempty"`
	Pattern    string      `yaml:"pattern,omitempty"`
	Paths      []string    `yaml:"paths,omitempty"`
	Domain     string      `yaml:"domain,omitempty"`
	Message    string      `yaml:"message,omitempty"`
	Conditions []Condition `yaml:"conditions,omitempty"`
}

Rule is an individual policy rule.

type RuleSet 

type RuleSet struct {
	Scope           string        `yaml:"scope"`
	Allow           []Rule        `yaml:"allow,omitempty"`
	Deny            []Rule        `yaml:"deny,omitempty"`
	RequireApproval []Rule        `yaml:"require_approval,omitempty"`
	RateLimit       *RateLimitCfg `yaml:"rate_limit,omitempty"`
	Limits          *CostLimits   `yaml:"limits,omitempty"`
}

RuleSet groups rules by scope.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.