Expand description
The canonical, cross-layer policy AST.
PolicyDocument is the single typed source of truth that both the
gateway rule engine (L7) and the eBPF map compiler (kernel) consume, so a
policy is described exactly once and the two enforcement layers cannot
drift apart. See AAASM-3606 / AAASM-3561.
This is deliberately the canonical (lowering-relevant) shape: the
filesystem/capability and network-egress dimensions that the kernel layer
can enforce, plus the tool-path predicates needed to derive in-kernel path
rules. Gateway-only evaluation concerns (history stores, CEL contexts,
budget accounting) stay in aa-gateway and operate on top of this AST.
Structs§
- Network
Policy - Network egress policy: the set of hosts an agent may connect to.
- Policy
Document - The canonical policy document shared across enforcement layers.
- Tool
Rule - A single tool rule from the policy
tools:map.