gatewarden 0.3.0

Hardened Keygen.sh license validation infrastructure
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

use super::compiler::{compile_rules, CompiledPlan};
use super::model::{EvalInput, Predicate, Rule, RuleDecision, Selector};
use super::runtime::{execute, RuntimeResult};

/// The result of evaluating an FSE policy against an input.
#[derive(Debug, Clone)]
pub struct EvaluationReport {
    /// Whether all required rules passed (access granted).
    pub allow: bool,
    /// Number of unique selectors scanned — the FSE proof metric.
    pub selectors_scanned: usize,
    /// Per-rule outcomes: (rule_id, decision).
    pub rule_outcomes: Vec<(String, RuleDecision)>,
}

/// Build the default security rule set for Gatewarden validation.
///
/// Covers: profile match, signature present, digest match, freshness (300s),
/// entitlement check, and bridge token validation. All rules are required.
pub fn default_security_rules(profile_id: &str, required_entitlement: &str) -> Vec<Rule> {
    vec![
        Rule {
            id: "response.profile_matches".to_string(),
            selector: Selector::ProfileId,
            predicate: Predicate::EqString(profile_id.to_string()),
            required: true,
        },
        Rule {
            id: "response.signature_present".to_string(),
            selector: Selector::SignaturePresent,
            predicate: Predicate::BoolIsTrue,
            required: true,
        },
        Rule {
            id: "response.digest_matches".to_string(),
            selector: Selector::DigestMatches,
            predicate: Predicate::BoolIsTrue,
            required: true,
        },
        Rule {
            id: "response.freshness_under_300s".to_string(),
            selector: Selector::ResponseAgeSeconds,
            predicate: Predicate::MaxU64(300),
            required: true,
        },
        Rule {
            id: "license.has_required_entitlement".to_string(),
            selector: Selector::Entitlements,
            predicate: Predicate::ContainsString(required_entitlement.to_string()),
            required: true,
        },
        Rule {
            id: "bridge.token_valid".to_string(),
            selector: Selector::BridgeTokenValid,
            predicate: Predicate::BoolIsTrue,
            required: true,
        },
    ]
}

/// Evaluate a set of rules against an input using the FSE engine.
///
/// Compiles the rules into a plan, executes in a single pass over unique
/// selectors, and returns the evaluation report.
pub fn evaluate_policy(rules: Vec<Rule>, input: EvalInput) -> EvaluationReport {
    let plan: CompiledPlan = compile_rules(rules);
    let runtime: RuntimeResult = execute(&plan, &input);

    EvaluationReport {
        allow: runtime.allow,
        selectors_scanned: runtime.selectors_scanned,
        rule_outcomes: runtime
            .outcomes
            .iter()
            .map(|o| (o.rule_id.clone(), o.decision.clone()))
            .collect(),
    }
}