Bag keys the delegation step writes after a successful dispatch.
Centralized here so the evaluator (writer) and policy authors
(readers, via require(delegation.granted.*)) agree on the
canonical names — typos in either place silently break the
IdP-as-PDP pattern.
DelegationInvoker impl that returns NotFound for every call.
Useful as the default for evaluator callers that don’t run any
delegate(...) steps — they need to pass something implementing
the trait, but the noop never actually gets invoked. Tests and
hosts that haven’t wired a real delegation backend pass this.
A PDP invocation, opaque-args style. Resolvers parse args based on
the dialect they handle — apl-core doesn’t impose a Cedar/OPA/AuthZen
schema on args.
Where in the request lifecycle a plugin dispatch is happening.
Threads through PluginInvocation so the invoker can select the
right hook entry from a plugin that registered for both pre and
post phases (e.g. cmf.tool_pre_invoke AND cmf.tool_post_invoke).
Delegation dispatch — invokes a TokenDelegateHook plugin to mint
a downstream credential. apl-cpex implements this against
cpex_core::PluginManager::invoke_entries::<TokenDelegateHook>.
Build a PdpResolver from a unified-config block. Implemented per
PDP backend (cedar-direct, opa, …) and registered with
the apl-cpex visitor so unified-config YAML can declare PDPs
without the host pre-constructing them in code.
External policy-decision dispatch. Implemented by Cedar, OPA HTTP
clients, AuthZen clients, NeMo Guardrails — anything that can answer
“given this call, allow or deny?” against a request context.