Skip to main content

Module authorization

Module authorization 

Source
Expand description

Authorization aspects.

This module provides two complementary authorization aspects:

  • AuthorizationAspect — role-based access control (RBAC). Given the set of roles the caller holds, admit or deny based on a required-role policy. The classical AspectJ / Spring Security shape.

  • AllowlistAspect — identity-based allowlisting. Given an identity string (user ID, phone number, email, public key, etc.), admit if it matches a configured set, with optional wildcard and normalization hooks. This is the shape that recurs across messaging-channel integrations: each channel has its own per-channel allowlist of who is permitted to talk to the bot. The ICSE 2027 evaluation migrates the zeroclaw codebase from 25 hand-rolled per-channel checks to a single shared AllowlistAspect configured per channel.

Structs§

AllowlistAspect
Identity-based allowlist aspect.
AllowlistCall
Per-call context bound to the most recent guarded join point. Set by the host before proceed() is invoked; cleared by release.
AuthorizationAspect
Role-based access control aspect.

Enums§

AuthMode
Authorization mode.
MatchPolicy
Borrowed matching policy for the stateless is_allowed_in entry point.

Functions§

is_allowed_in
Stateless allowlist check: returns true when identity is admitted by entries under policy. Holds no state — the caller passes the entries (typically resolved from a canonical config source per call), so this satisfies single-source-of-truth invariants that forbid caching the allowlist in a long-lived field.