Crate entelix_policy

Expand description

§entelix-policy

Multi-tenant operational primitives that LangChain / LangGraph leave to the host: token-bucket rate limiting, bidirectional PII redaction (F5 mitigation), rust_decimal-backed transactional cost accounting (F4 mitigation), composite quota enforcement, and the per-tenant aggregate (TenantPolicy) plus the runtime registry (PolicyRegistry) that indexes them by tenant_id.

§Surface in one screen

RateLimiter (trait) + TokenBucketLimiter — async, per-key, time-injectable for deterministic tests.
PiiRedactor (trait) + RegexRedactor — runs on both pre_request and post_response so leaks can’t slip past in either direction.
CostMeter + PricingTable / ModelPricing — rust_decimal for float-free arithmetic; charges are recorded only after the response decoder succeeds (transactional — F4).
QuotaLimiter — composite: rate (RPS) + budget ceiling (per-tenant cumulative spend cap).
TenantPolicy — per-tenant aggregate of optional handles to the four primitives above.
PolicyRegistry — DashMap<tenant_id, Arc<TenantPolicy>> with a fallback default policy.
PolicyLayer — tower::Layer<S> that wires every primitive into both Service<ModelInvocation> and Service<ToolInvocation> pipelines. Compose via ChatModel::layer(PolicyLayer::new(mgr)) for model calls and ToolRegistry::layer(PolicyLayer::new(mgr)) for tool calls — same struct on both sides.

§Layer lifecycle (model calls)

before inner.call (Service<ModelInvocation>):
1. PiiRedactor::redact_request — outbound scrub.
2. QuotaLimiter::check_pre_request — rate + budget gate. Returns Error::Provider { status: 429 | 402, ... } on refusal.
after inner.call:
1. PiiRedactor::redact_response — inbound scrub.
2. CostMeter::charge — transactional charge (F4 — only here, after a successful inner call).

§Layer lifecycle (tool calls)

before inner.call (Service<ToolInvocation>):
1. PiiRedactor::redact_json(input) — scrub tool input JSON.
after inner.call:
1. PiiRedactor::redact_json(output) — scrub tool output JSON.

§Tenant scoping

Every primitive looks up state by ExecutionContext::tenant_id() . A request without an explicit tenant uses the entelix_core::DEFAULT_TENANT_ID scope; the default tenant gets the PolicyRegistry’s default policy (typically “no policy” — pass-through).

Structs§

Budget: Per-tenant cumulative spend ceiling. Compared against CostMeter::spent_by(tenant) at pre-request time.
CostMeter: Per-tenant cost ledger. Records the cumulative spend for every tenant that has ever been charged.
ModelPricing: Per-model pricing, in cost units per 1000 tokens. The unit is caller-defined (USD cents, GBP pence, internal credits) — the meter is unit-blind and just sums Decimals.
PiiPattern: One named redaction pattern.
PolicyLayer: Layer that wraps an inner service with per-tenant policy enforcement.
PolicyRegistry: Runtime registry mapping tenant_id → TenantPolicy.
PolicyService: Service produced by PolicyLayer. Generic over the inner service type; specialised Service<ModelInvocation> and Service<ToolInvocation> impls below.
PricingTable: Lookup of model name → ModelPricing. Keys are the same model strings the codecs send to the wire (e.g. "claude-opus-4-7", "gpt-4.1"). Lookup is exact; aliases are the caller’s responsibility.
QuotaLimiter: Composite quota gate.
RegexRedactor: Regex-driven PII redactor.
TenantPolicy: Per-tenant aggregate of policy handles.
TokenBucketLimiter: Per-key token-bucket limiter. Buckets are created lazily on first try_acquire; a key never seen before starts full.

Enums§

PolicyError: Policy-layer failures.
UnknownModelPolicy: Behavior when CostMeter::charge is called with a model that has no entry in the PricingTable.

Constants§

DEFAULT_MAX_TENANTS: Default cap on distinct tenant ledger entries.
MAX_WARNED_MODELS: Cap on distinct model names tracked under WarnOnce.

Traits§

PiiRedactor: Bidirectional PII redaction surface.
RateLimiter: Backend-agnostic rate-limit surface.
UnknownModelSink: Observer notified on every unknown-model charge attempt.

Functions§

default_pii_patterns: A small starter set of PII patterns. Production deployments almost always extend or replace these per jurisdiction; this list exists so a RegexRedactor::default() is non-trivial out of the box.
luhn_valid: Luhn-checksum validator — reject candidate runs that aren’t well-formed payment-card numbers. Strips spaces, dashes, and non-digit noise before computing.

Type Aliases§

PolicyResult: Result alias used inside entelix-policy.