gatekeep
The soul selects her own society, Then shuts the door;
— Emily Dickinson, "Exclusion" (1890)
gatekeep is a code-first authorization engine for Rust. Policies are ordinary
Rust values, a pure deterministic core evaluates them, and every decision
carries the reasons that produced it.
Documentation
- docs/ — guides and reference for integrators
- docs.rs/gatekeep — core crate API
- Adapter crates: gatekeep-axum, gatekeep-fluent, gatekeep-keepsake, gatekeep-sqlx
Read Combining permit outcomes before designing graded access such as redacted/full records or scope unions.
Where it fits
Use gatekeep for an in-process authorization boundary authored in Rust, by the team that owns the application. Policies are composable combinators over a frozen set of facts, evaluated synchronously with no IO, so a decision replays exactly from its inputs.
It is not a policy DSL, an authentication or session layer, or a network policy service; those stay with the application or with crates built for them. Because each policy is reified as inspectable data, gatekeep can serialize, hash, diff, and explain a decision. It can also answer "which resources can this principal reach?", not just "may this principal reach this one?".
Usage
use ;
// Outcome grade: how much of a record the caller may read.
// A fact the application resolves before evaluation.
;
Partial evaluation reuses the same policy value with PartialFacts: mark
request-known facts as present or absent, leave resource-level facts unknown,
then lower the residual policy in an application-owned adapter. For SQL-backed
list queries, gatekeep-sqlx maps residual facts to trusted row predicates and
appends a lowered filter and grade projection to a sqlx::QueryBuilder.
Postgres is the default backend; SQLite and MySQL are available behind feature
flags.
For durable decision audit, configure an async AuditSink. gatekeep-sqlx
provides SqlxDecisionAuditRepository plus Postgres, SQLite, and MySQL aliases.
Run the audit migration for your backend, pass the repository to
Gatekeeper::with_audit_sink, and the Axum adapter will await the audit write
before returning permit or deny. The SQL schema stores the decision row, consulted
facts, obligations, request subjects, reason parameters, and an outbox row for
export workers.
use Gatekeeper;
use PgDecisionAuditRepository;
let audit = new;
let gatekeeper = new.with_audit_sink;
Use the matching migration under gatekeep-sqlx/migrations/{postgres,sqlite,mysql}.
Export workers can page gatekeep_audit_outbox by id and transform the stored
AuditEntry payload for Kafka, Restate, S3, or warehouse ingestion.
For the lowering walkthrough, see the gatekeep-sqlx docs on
docs.rs and the
axum-authorized-list example.
Why it exists
The Rust authz ecosystem leans on external DSLs. A policy DSL is worth its overhead across many services and for non-engineer authors; for a single Rust service it mostly adds cost: a second language, the domain re-encoded as entities and attributes, and typos that fail at runtime instead of compile time. gatekeep keeps policies in Rust and reifies them as data, so they stay analyzable.
License
Licensed under either of:
- Apache License, Version 2.0
- MIT license
at your option.