policy

package

v0.8.0 Latest Latest Go to latest Published: Jun 20, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/prashar32/riskkernel

Links

Open Source Insights

Documentation ¶

Overview ¶

Package policy loads declarative RiskKernel policy bundles from a riskkernel.yaml file — the "policy-as-code" form of the POST /v1/policies bundles, reviewable in PRs and applied on startup — and dry-runs a bundle against a recorded run so you can see what it WOULD have gated or halted before adopting it. All evaluation is deterministic; no LLM is consulted.

Index ¶

Constants
type ApprovalPolicy
type Budget
type Bundle
- func (b Bundle) DryRun(d RunData) Report
- func (b Bundle) Record(now time.Time) storage.PolicyRecord
type File
- func Load(filePath string) (*File, error)
- func (f *File) Bundle(name string) (Bundle, bool)
- func (f *File) Validate() error
type Report
- func (r Report) String() string
type Rule
type RunData

Constants ¶

View Source

const SchemaVersion = 1

SchemaVersion is the only riskkernel.yaml schema version understood today.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type ApprovalPolicy ¶

type ApprovalPolicy struct {
	RequireFor []Rule `yaml:"requireFor"`
}

type Budget ¶

type Budget struct {
	Tokens  int64   `yaml:"tokens"`
	Dollars float64 `yaml:"dollars"`
	Loops   int32   `yaml:"loops"`
	Seconds int32   `yaml:"seconds"`
}

type Bundle ¶

type Bundle struct {
	Name           string         `yaml:"name"`
	Budget         Budget         `yaml:"budget"`
	ToolAllowlist  []string       `yaml:"toolAllowlist"`
	ApprovalPolicy ApprovalPolicy `yaml:"approvalPolicy"`
}

Bundle mirrors the api/v1 Policy schema in YAML form.

func (Bundle) DryRun ¶

func (b Bundle) DryRun(d RunData) Report

DryRun evaluates the bundle against a recorded run. It is read-only.

func (Bundle) Record ¶

func (b Bundle) Record(now time.Time) storage.PolicyRecord

Record converts a bundle into the storage form for registration.

type File ¶

type File struct {
	SchemaVersion int      `yaml:"schemaVersion"`
	Policies      []Bundle `yaml:"policies"`
}

File is a parsed riskkernel.yaml.

func Load ¶

func Load(filePath string) (*File, error)

Load reads and validates a riskkernel.yaml policy file.

func (*File) Bundle ¶

func (f *File) Bundle(name string) (Bundle, bool)

Bundle returns the named bundle, or (_, false).

func (*File) Validate ¶

func (f *File) Validate() error

Validate checks schema version, names, and budgets.

type Report ¶

type Report struct {
	Policy       string
	RunID        string
	BudgetHalt   string // "" if within budget, else the dimension that would have halted
	BudgetDetail string
	GatedCalls   []storage.ToolCallRecord // would have required human approval
	BlockedCalls []storage.ToolCallRecord // not in the tool allowlist
	TotalCalls   int
}

Report is the outcome of dry-running a bundle against a recorded run — what the bundle WOULD have done, changing nothing.

func (Report) String ¶

func (r Report) String() string

String renders a human-readable dry-run report.

type Rule ¶

type Rule struct {
	Tool       string `yaml:"tool"`
	SideEffect string `yaml:"sideEffect"`
}

type RunData ¶

type RunData struct {
	Run       storage.RunRecord
	Totals    storage.LedgerTotals
	ToolCalls []storage.ToolCallRecord
}

RunData is the recorded state of a run that a dry-run evaluates a bundle against.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL