action

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 28, 2026 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Overview

Package action gates proposed remediations against the autonomy-ladder policy (config.actions: off | suggest | approve | auto). The gate is server-authoritative: reversibility and blast radius are derived from the operation (deriveSafety), not trusted from model-authored fields, and executable targets are checked against a namespace allowlist with a built-in protected-namespace deny. suggest surfaces proposals only; approve executes after an authenticated human approval; auto executes reversible, in-envelope actions unattended (rate-limited, kill-switchable, audited). The gate is the load-bearing safety logic for every rung above read-only.

Index

Constants

This section is empty.

Variables

View Source
var ErrNoPending = errors.New("no pending action")

ErrNoPending is returned when an approval id is unknown, already consumed, or expired.

Functions

func ContextWithActor

func ContextWithActor(ctx context.Context, actor string) context.Context

ContextWithActor tags ctx with the actor accountable for an execution (e.g. "auto" or "approve:slack:U123"), so the audited executor can attribute its record.

Types

type Approvals

type Approvals struct {
	// contains filtered or unexported fields
}

Approvals queues actions proposed under "approve" mode until a human approves (then it executes via the Executor) or rejects them. In-memory, held on the leader; entries expire after a TTL.

func NewApprovals

func NewApprovals(exec Executor, policy *Policy, aud audit.Auditor, log *slog.Logger) *Approvals

NewApprovals builds an approval queue. A nil auditor falls back to a no-op.

func (*Approvals) Approve

func (a *Approvals) Approve(ctx context.Context, id, actor string) (providers.Action, error)

Approve executes the pending action after re-checking the envelope. The entry is CLAIMED (removed) under the same lock that reads it, so two concurrent approvals of the same id cannot both execute (TOCTOU double-execute). actor identifies the approver for the audit trail. Errors if the id is unknown/expired, the action is now out of policy, or execution fails.

func (*Approvals) List

func (a *Approvals) List() []Pending

List returns the non-expired pending actions.

func (*Approvals) Register

func (a *Approvals) Register(act providers.Action) string

Register queues an action for approval and returns its id.

func (*Approvals) Reject

func (a *Approvals) Reject(id string) error

Reject drops a pending action.

type Auto

type Auto struct {
	// contains filtered or unexported fields
}

Auto executes remediations without human approval (mode "auto"), under layered safety controls: it only ever runs REVERSIBLE actions, requires a minimum investigation confidence, is rate-limited, can be paused instantly (kill-switch), supports dry-run, and audits every decision. Anything failing a gate is surfaced (annotated), never executed.

func NewAuto

func NewAuto(exec Executor, p config.AutoPolicy, policy *Policy, aud audit.Auditor, log *slog.Logger) *Auto

NewAuto builds the auto executor from the policy (window defaults to 1h). policy is the action envelope, re-checked at the exec boundary (defense in depth). A nil auditor falls back to a no-op. The returned Auto starts with the kill-switch ENGAGED (paused) — fail closed by construction, so a process/leader restart can never resume unattended execution on its own; an operator must Resume() it.

func (*Auto) Pause

func (a *Auto) Pause()

Pause engages the kill-switch: all auto-execution halts until Resume.

func (*Auto) Paused

func (a *Auto) Paused() bool

Paused reports whether the kill-switch is engaged.

func (*Auto) Resume

func (a *Auto) Resume()

Resume clears the kill-switch.

func (*Auto) Run

Run evaluates each (already envelope-compliant) action against the auto safety gates and executes — or, in dry-run, logs — the eligible ones. It returns the actions with their outcome annotated into the description for delivery/audit.

type Executor

type Executor interface {
	Execute(ctx context.Context, a providers.Action) error
}

Executor runs an approved action against the cluster.

func NewAuditedExecutor

func NewAuditedExecutor(inner Executor, aud audit.Auditor) Executor

NewAuditedExecutor wraps inner so executed/failed attempts are recorded to aud, attributed to the actor carried in the context (see ContextWithActor).

type Pending

type Pending struct {
	ID     string
	Action providers.Action
}

Pending is an action awaiting human approval.

type Policy

type Policy struct {
	// contains filtered or unexported fields
}

Policy evaluates proposed actions against the configured envelope.

func New

func New(cfg config.ActionPolicy) *Policy

New builds a Policy from config.

func (*Policy) Enabled

func (p *Policy) Enabled() bool

Enabled reports whether any non-off action mode is configured.

func (*Policy) IsAuto

func (p *Policy) IsAuto() bool

IsAuto reports whether unattended (rung-3) execution is configured.

func (*Policy) Mode

func (p *Policy) Mode() config.ActionMode

Mode returns the configured action mode.

func (*Policy) Review

func (p *Policy) Review(actions []providers.Action) (kept []providers.Action, withheld []string)

Review filters proposed actions to those within the envelope (the ones safe to surface as suggestions), returning the kept actions plus a reason for each withheld one. When actions are disabled (mode off), nothing is surfaced.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL