Skip to main content

Module security

Module security 

Source

Structs§

ClientExtension
The OAuth client / gateway-access principal — what application is brokering the request, as opposed to which user is using it (SubjectExtension) and which attested workload is the network peer (WorkloadIdentity). Populated from a client-credentials or session JWT by an identity-resolver plugin (or supplied directly by a trusted upstream gateway).
DataPolicy
Data policy for a named data element.
ObjectSecurityProfile
Security profile for a managed object.
RetentionPolicy
Retention policy for data.
SecurityExtension
Security-related extensions.
SubjectExtension
Authenticated subject identity.
WorkloadIdentity
SPIFFE-style workload identity, used for both inbound callers (SecurityExtension.caller_workload — added in a subsequent slice) and our own outbound identity (SecurityExtension.this_workload).

Enums§

ClientTrustLevel
Trust classification for the OAuth client / gateway that brokered the request. Distinct from the user’s subject identity — the same human can connect through a first-party browser flow or a third-party agent, and policies often want to distinguish them.
SubjectType
Subject type for identity classification.