Expand description
Aperion Shield – self-contained rule engine for the standalone product.
Schema overview (YAML, v2 – v1 documents still load unchanged):
shieldset:
version: 2
policy: # all optional -- v1 documents have no `policy:`
workspace_probe:
enabled: true
prod_signals: [".env.production", "prod/", "Procfile"]
severity_bump: 1
decision_memory:
enabled: true
demote_after_approvals: 3
escalate_on_deny_days: 7
burst_detector:
enabled: true
window_seconds: 300
threshold: 5
composite_scoring:
enabled: true
thresholds: { medium: 2, high: 5, critical: 9 }
rules:
- id: ...
severity: Critical | High | Medium | Low
points: 5 # NEW (v2): contributes to composite score
where: tool_call | llm_response
safer_alternative: "..." # NEW (v2): teach the user the safe form
match:
tool: ["execute_sql", ...]
any_param_matches: ['regex', ...]
sql_matches: ['regex', ...]
sql_predicates: [unscoped_update, unscoped_delete]
text_matches: ['regex', ...]
command_predicates: [curl_pipe_sh, env_to_network, reverse_shell] # NEW (v2)
sensitive_paths: ['/etc/**', '~/.ssh/**', '~/.aws/**'] # NEW (v2)
reason: "..."Severity -> outcome mapping for the standalone:
| Severity | Decision |
|---|---|
| Critical | Block (JSON-RPC error) |
| High | Approval (waits on inbox) |
| Medium | Allow + warn banner |
| Low | Allow + audit-only log |
Adaptive layer (v2): the raw severity above is the rule’s baseline. The final severity is the max of:
- The highest single matched rule’s severity, AND
- The composite-score-derived severity (sum of
pointsacross all matching rules, mapped to thresholds), AND - The base severity bumped up by one tier if the workspace looks like production, AND
- The base severity bumped up by one tier if Shield has recently denied this exact (rule_id, argv-fingerprint) pair, AND
- The base severity bumped up by one tier while a destructive burst is in progress.
Memory may demote by one tier when the user has approved this exact fingerprint >= N times with no recent denials.
All adjustments compose monotonically: the worst (highest-rank) severity wins.
Structs§
- Adjustments
- All adaptive adjustments the engine should apply on top of the raw rule severity. Computed by the caller (main.rs) from runtime state (workspace context, decision memory, burst detector). Passing these in keeps the engine pure and testable.
- Burst
Detector Cfg - Compiled
Rule - Composite
Scoring Cfg - Composite
Thresholds - Decision
Memory Cfg - Engine
- Evaluation
- All rule matches for one evaluation, plus the adaptive resolution.
- Match
Info - Policy
- Root
- Shieldset
- Supply
Chain Cfg - v0.9 MCP supply-chain protection. Controls TOFU pinning of the upstream’s tool catalog and what happens when a pinned tool’s definition changes underneath the user (a “rug pull”).
- Workspace
Probe Cfg - Yaml
Match - Yaml
Rule
Enums§
Functions§
- decide
- Turn an evaluation into a concrete Decision. The “primary” rule is whichever matched rule contributed the highest individual severity; ties broken by points then by lexicographic id.
- fingerprint
- Fingerprint a (rule_id, params) tuple. We hash rule_id + a stable JSON serialisation of the parameters; the first 16 hex chars are enough – 64 bits of randomness, collision risk negligible for a per-user local file with O(thousands) of entries.