Skip to main content

Module document

Module document 

Source
Expand description

The canonical, cross-layer policy AST.

PolicyDocument is the single typed source of truth that both the gateway rule engine (L7) and the eBPF map compiler (kernel) consume, so a policy is described exactly once and the two enforcement layers cannot drift apart. See AAASM-3606 / AAASM-3561.

This is deliberately the canonical (lowering-relevant) shape: the filesystem/capability and network-egress dimensions that the kernel layer can enforce, plus the tool-path predicates needed to derive in-kernel path rules. Gateway-only evaluation concerns (history stores, CEL contexts, budget accounting) stay in aa-gateway and operate on top of this AST.

Structs§

NetworkPolicy
Network egress policy: the set of hosts an agent may connect to.
PolicyDocument
The canonical policy document shared across enforcement layers.
ToolRule
A single tool rule from the policy tools: map.