Trait ScpResolver 

pub trait ScpResolver: Send + Sync {
    // Required method
    fn scps_for(&self, principal: &Principal) -> Option<Vec<String>>;
}

Abstraction over “given a principal, return the inherited SCP documents that form the top-of-chain allow-list ceiling for the principal’s account”. Implemented by fakecloud-organizations.

Returning None means SCPs do not apply (no org exists for this fakecloud process, or the principal is the management account, or the principal is a service-linked role, or the account is not enrolled in the organization). Dispatch plumbs the returned slice straight into IamPolicyEvaluator.

The ordered list puts root-OU-attached policies first, then each descendant OU down to the account’s parent, and account-direct attachments last — the evaluator treats each entry as a separate gate that must allow (intersection), matching AWS SCP semantics.

Required Methods

fn scps_for(&self, principal: &Principal) -> Option<Vec<String>>

Implementors