Bag keys the delegation step writes after a successful dispatch.
Centralized here so the evaluator (writer) and policy authors
(readers, via require(delegation.granted.*)) agree on the
canonical names — typos in either place silently break the
IdP-as-PDP pattern.
Bag keys an elicitation step writes so downstream rules in the same
phase — and the audit plugin — can read its state. Centralized here
(like delegation_bag_keys) so the evaluator/invoker (writers) and
policy authors (readers, via require(elicitation.*)) agree on the
canonical names.
ElicitationInvoker that immediately approves every elicitation:
dispatch returns a synthetic id (echoing the requested from as the
resolved approver), check reports Resolved { Approved } on the
first pass, and validate returns a genuine verdict. This lets a
single request flow dispatch → check → validate → allow without a real
channel — for evaluator tests and offline demos.
One elicitation invocation inside policy: or post_policy: — the
runtime dispatches a question to a human (approval, confirmation,
step-up, …) through a channel plugin, holds a pending state across
the agent’s retries, validates the response, and resumes.
What ElicitationInvoker::dispatch returns — the correlation id
plus the pending metadata the evaluator surfaces into the bag
(elicitation.*) and the host echoes in the JSON-RPC -32120
pending entry.
What ElicitationInvoker::validate returns — the genuineness
verdict plus the resolved facts the runtime records for audit. The
runtime layers the scope-over-args check on top before allowing the
phase to proceed.
DelegationInvoker impl that returns NotFound for every call.
Useful as the default for evaluator callers that don’t run any
delegate(...) steps — they need to pass something implementing
the trait, but the noop never actually gets invoked. Tests and
hosts that haven’t wired a real delegation backend pass this.
ElicitationInvoker impl that returns NotFound for every call.
The default for evaluator callers that run no elicitation steps —
they must pass something implementing the trait, but the noop never
actually gets invoked. Mirrors NoopDelegationInvoker; tests and
hosts that haven’t wired a real channel backend pass this.
A PDP invocation, opaque-args style. Resolvers parse args based on
the dialect they handle — apl-core doesn’t impose a Cedar/OPA/AuthZen
schema on args.
The “ask again later” bundle — produced when an elicitation has been
dispatched but the human hasn’t responded yet. It carries everything
the host needs to emit a JSON-RPC -32120 (“request not complete,
retry echoing this id”) to the agent instead of forwarding the call.
Where in the request lifecycle a plugin dispatch is happening.
Threads through PluginInvocation so the invoker can select the
right hook entry from a plugin that registered for both pre and
post phases (e.g. cmf.tool_pre_invoke AND cmf.tool_post_invoke).
The kind of elicitation — selects which validation contract the
runtime applies to the human’s response. A single AST node
([Step::Elicit]) covers every kind; the DSL exposes each via a
sugar verb (require_approval → Approval, confirm → Confirm,
…) that all parse to the same node. See
docs/apl-elicitation-hook-design.md for the per-kind contracts.
Delegation dispatch — invokes a TokenDelegateHook plugin to mint
a downstream credential. apl-cpex implements this against
cpex_core::PluginManager::invoke_entries::<TokenDelegateHook>.
Elicitation dispatch — drives a human-in-the-loop step (approval,
confirmation, step-up, …) through a channel plugin. apl-cpex
implements this against the named ElicitationHandler plugin
(step.plugin_name, resolved name → entry like delegation); tests
and un-wired hosts pass NoopElicitationInvoker.
Build a PdpResolver from a unified-config block. Implemented per
PDP backend (cedar-direct, opa, …) and registered with
the apl-cpex visitor so unified-config YAML can declare PDPs
without the host pre-constructing them in code.
External policy-decision dispatch. Implemented by Cedar, OPA HTTP
clients, AuthZen clients, NeMo Guardrails — anything that can answer
“given this call, allow or deny?” against a request context.