vellaveto-engine 6.0.8

Policy evaluation engine with glob, regex, and domain matching
Documentation

vellaveto-engine

Policy evaluation engine for the Vellaveto MCP security gateway.

Overview

Evaluates security policies against MCP tool invocations with:

  • Glob and regex path matching with traversal protection
  • Domain matching with IDNA normalization and DNS rebinding defense
  • ABAC engine with Cedar-style forbid overrides
  • Decision cache with LRU eviction and TTL expiry
  • Wasm policy plugins via Wasmtime with fuel metering
  • Collusion detection and cascading failure circuit breakers
  • Fail-closed by default — errors and missing policies produce Deny

P99 evaluation latency: <5ms.

Usage

[dependencies]
vellaveto-engine = "6"

use vellaveto_engine::PolicyEngine;
use vellaveto_types::{Action, Policy};

let engine = PolicyEngine::with_policies(true, &policies);
let verdict = engine.evaluate(&action)?;

License

MPL-2.0 — see LICENSE-MPL-2.0 in the repository root.

Part of the Vellaveto project.