Expand description
Policy engine for authorization decisions.
This module provides the policy evaluation layer that determines whether a device or identity is authorized to perform specific actions.
§Architecture
The policy engine sits between storage (which provides data) and application code (which needs authorization decisions):
┌─────────────────┐ ┌──────────────┐ ┌─────────────────┐
│ Storage/Registry │ ──► │ Policy Engine │ ──► │ Decision (Y/N/?) │
└─────────────────┘ └──────────────┘ └─────────────────┘
(data) (evaluation) (result)§Relationship to Trust Module
This module handles authorization (can X do Y?), while the
crate::trust module handles identity verification (is X who they
claim?). Both are needed for secure operation:
- First, verify identity using
crate::trust::check_trust - Then, check authorization using this policy module
§Sans-IO Design (INVARIANT)
This module MUST remain pure/sans-IO. All policy functions take their inputs explicitly and never access storage or system resources directly.
§Prohibited in Production Code
RegistryBackendor any storage traitgit2or filesystem accessUtc::now()or other system clock access- Network I/O
§Required Pattern
All external data must be passed as parameters:
ⓘ
fn evaluate(
attestation: &Attestation, // Data from storage (caller fetches)
action: &Action, // What to authorize
now: DateTime<Utc>, // Time (caller provides)
) -> Decision§Benefits
- Testable: No mocks needed, just pass test data
- Deterministic: Same inputs always produce same outputs
- Portable: Works in WASM, embedded, anywhere
- Auditable: All decision factors are explicit
§CI Verification
Run to verify invariant is maintained:
grep -rn "RegistryBackend\|git2\|std::fs" crates/auths-core/src/policy/
# Production code should return nothing (tests/docs excluded)Modules§
Enums§
- Decision
- Result of an authorization policy evaluation.