Expand description
The hackamore policy engine — the reusable decision core.
Its entire public surface is one pure function, decide: given a normalized
Action and an agent’s Policy, it returns a Verdict. No I/O, no HTTP, no
async, no awareness that a proxy exists. That narrowness is the point: any data
plane (the bundled reverse proxy today, an Envoy ext_authz adapter tomorrow) can
reuse it by translating its request into an Action and enforcing the Verdict.
Semantics: rules are evaluated top-to-bottom, first match wins, and if no rule
matches the action is denied (fail closed). An Allow is bare: the engine
names no credentials — the matched service instance owns its credential, and the data
plane attaches the inject/passthrough obligation.
Functions§
- decide
- Decide whether
actionis permitted underpolicy.