converge-policy 3.7.0

Cedar-based Policy Decision Point for Converge gate model
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173

//! Policy decision types aligned with converge-core's gate model.
//!
//! Maps Cedar allow/deny to the three-valued `GateDecision`:
//! Promote (allow), Reject (deny), Escalate (needs human).

use serde::{Deserialize, Serialize};

use converge_core::FlowAction;
use converge_pack::{PrincipalId, ResourceId};

/// Outcome of a policy evaluation, aligned with converge-core's `GateDecision`.
///
/// This is intentionally compatible with `converge_pack::gate::GateDecision`
/// so that policy decisions can flow directly into the promotion gate pipeline.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum PolicyOutcome {
    /// Action is allowed — maps to `GateDecision::Promote`
    Promote,
    /// Action is denied — maps to `GateDecision::Reject`
    Reject,
    /// Action requires escalation to human authority — maps to `GateDecision::Escalate`
    Escalate,
}

impl PolicyOutcome {
    #[must_use]
    pub fn is_allowed(&self) -> bool {
        matches!(self, Self::Promote)
    }

    #[must_use]
    pub fn is_terminal(&self) -> bool {
        matches!(self, Self::Promote | Self::Reject)
    }
}

/// Full policy decision with rationale and audit trail
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct PolicyDecision {
    /// The outcome
    pub outcome: PolicyOutcome,
    /// How the decision was made
    pub mode: DecisionMode,
    /// Human-readable rationale (from Cedar diagnostics or delegation verification)
    pub reason: Option<String>,
    /// The principal that was evaluated
    pub principal_id: PrincipalId,
    /// The action that was attempted
    pub action: FlowAction,
    /// The resource that was targeted
    pub resource_id: ResourceId,
}

/// How the decision was reached
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum DecisionMode {
    /// Evaluated via Cedar policy rules
    Policy,
    /// Verified via signed delegation token
    Delegation,
}

impl PolicyDecision {
    #[must_use]
    pub fn policy(
        outcome: PolicyOutcome,
        reason: Option<String>,
        principal_id: impl Into<PrincipalId>,
        action: FlowAction,
        resource_id: impl Into<ResourceId>,
    ) -> Self {
        Self {
            outcome,
            mode: DecisionMode::Policy,
            reason,
            principal_id: principal_id.into(),
            action,
            resource_id: resource_id.into(),
        }
    }

    #[must_use]
    pub fn delegation(
        outcome: PolicyOutcome,
        reason: Option<String>,
        principal_id: impl Into<PrincipalId>,
        action: FlowAction,
        resource_id: impl Into<ResourceId>,
    ) -> Self {
        Self {
            outcome,
            mode: DecisionMode::Delegation,
            reason,
            principal_id: principal_id.into(),
            action,
            resource_id: resource_id.into(),
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn policy_outcome_is_allowed() {
        assert!(PolicyOutcome::Promote.is_allowed());
        assert!(!PolicyOutcome::Reject.is_allowed());
        assert!(!PolicyOutcome::Escalate.is_allowed());
    }

    #[test]
    fn policy_outcome_is_terminal() {
        assert!(PolicyOutcome::Promote.is_terminal());
        assert!(PolicyOutcome::Reject.is_terminal());
        assert!(!PolicyOutcome::Escalate.is_terminal());
    }

    #[test]
    fn policy_decision_constructor_sets_mode() {
        let d = PolicyDecision::policy(
            PolicyOutcome::Promote,
            Some("reason".into()),
            "agent:x",
            FlowAction::Propose,
            "flow:1",
        );
        assert_eq!(d.mode, DecisionMode::Policy);
        assert_eq!(d.outcome, PolicyOutcome::Promote);
        assert_eq!(d.reason.as_deref(), Some("reason"));
        assert_eq!(d.principal_id, "agent:x");
        assert_eq!(d.action, FlowAction::Propose);
        assert_eq!(d.resource_id, "flow:1");
    }

    #[test]
    fn delegation_decision_constructor_sets_mode() {
        let d = PolicyDecision::delegation(
            PolicyOutcome::Escalate,
            None,
            "agent:y",
            FlowAction::Commit,
            "flow:2",
        );
        assert_eq!(d.mode, DecisionMode::Delegation);
        assert_eq!(d.outcome, PolicyOutcome::Escalate);
        assert!(d.reason.is_none());
    }

    #[test]
    fn policy_outcome_serde_roundtrip() {
        for outcome in [
            PolicyOutcome::Promote,
            PolicyOutcome::Reject,
            PolicyOutcome::Escalate,
        ] {
            let json = serde_json::to_string(&outcome).unwrap();
            let back: PolicyOutcome = serde_json::from_str(&json).unwrap();
            assert_eq!(outcome, back);
        }
    }

    #[test]
    fn decision_mode_serde_roundtrip() {
        for mode in [DecisionMode::Policy, DecisionMode::Delegation] {
            let json = serde_json::to_string(&mode).unwrap();
            let back: DecisionMode = serde_json::from_str(&json).unwrap();
            assert_eq!(mode, back);
        }
    }
}