engine

package

v0.3.0 Latest Latest Go to latest Published: Apr 3, 2026 License: MIT Imports: 10 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/majorcontext/keep

Links

Open Source Insights

Documentation ¶

Overview ¶

Package engine implements Keep's core policy evaluation.

Index ¶

func GlobMatch(pattern, name string) bool
type AuditEntry
type Call
type CallContext
type Decision
type EvalResult
type Evaluator
- func NewEvaluator(celEnv *keepcel.Env, scope string, mode config.Mode, onError config.ErrorMode, ...) (*Evaluator, error)
- func (ev *Evaluator) Evaluate(call Call) EvalResult
type RedactedField
type RuleResult

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func GlobMatch ¶

func GlobMatch(pattern, name string) bool

GlobMatch returns true if the operation name matches the glob pattern. Supports * (any sequence) and ? (any single character). An empty pattern matches everything.

Types ¶

type AuditEntry ¶

type AuditEntry struct {
	Timestamp      time.Time
	Scope          string
	Operation      string
	AgentID        string
	UserID         string
	Direction      string
	Decision       Decision
	Rule           string
	Message        string
	RulesEvaluated []RuleResult
	ParamsSummary  string
	// Enforced is true when the Decision was actually applied to the call.
	// It is false in audit_only mode, where Decision records what would have
	// happened but the call is allowed regardless.
	Enforced      bool
	RedactSummary []RedactedField `json:",omitempty"`
}

AuditEntry is the structured log record for a single evaluation.

type Call ¶

type Call struct {
	Operation string
	Params    map[string]any
	Context   CallContext
}

Call is the normalized input to the policy engine.

type CallContext ¶

type CallContext struct {
	AgentID   string
	UserID    string
	Timestamp time.Time
	Scope     string
	Direction string
	Labels    map[string]string
}

CallContext is metadata about who is making the call and when.

type Decision ¶

type Decision string

Decision is the outcome of a policy evaluation.

const (
	Allow  Decision = "allow"
	Deny   Decision = "deny"
	Redact Decision = "redact"
)

type EvalResult ¶

type EvalResult struct {
	Decision  Decision
	Rule      string
	Message   string
	Mutations []redact.Mutation
	Audit     AuditEntry
}

EvalResult is the output of a policy evaluation.

type Evaluator ¶

type Evaluator struct {
	// contains filtered or unexported fields
}

Evaluator runs the rule evaluation loop for a single scope.

func NewEvaluator ¶

func NewEvaluator(
	celEnv *keepcel.Env,
	scope string,
	mode config.Mode,
	onError config.ErrorMode,
	rules []config.Rule,
	aliases map[string]string,
	defs map[string]string,
	detector *secrets.Detector,
	caseSensitive bool,
) (*Evaluator, error)

NewEvaluator creates an evaluator for a scope. Compiles all CEL expressions and redact patterns at creation time. Returns an error if any expression fails to compile.

func (*Evaluator) Evaluate ¶

func (ev *Evaluator) Evaluate(call Call) EvalResult

Evaluate runs all rules against the given call and returns the result.

type RedactedField ¶

type RedactedField struct {
	Path     string // e.g. "params.text"
	Replaced string // the post-redaction value (contains [REDACTED:...] placeholders)
}

RedactedField records what was redacted without exposing the original value.

type RuleResult ¶

type RuleResult struct {
	Name         string
	Matched      bool
	Action       string
	Skipped      bool
	Error        bool   // true if a CEL eval error occurred for this rule
	ErrorMessage string // the CEL eval error message, populated when Error is true
}

RuleResult records what happened when a single rule was checked.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL