Skip to main content

Module policy

Module policy 

Source

Structs§

PolicyActorSelector
PolicyAllowRule
PolicyCompiler
PolicyConfig
PolicyDecision
PolicyEngine
PolicyRequest
What a caller wants to do, sans identity. Actor identity flows through a separate actor_id: &str parameter on PolicyEngine::authorize / PolicyChecker::check — encoding the architectural invariant that actor identity is server-authoritative and must not be supplied by the same code path that supplies the requested action. In the HTTP layer, the bearer-token middleware resolves the actor and passes it independently; clients cannot smuggle identity inside this struct.
PolicyRule
PolicyTestCase
PolicyTestConfig

Enums§

PolicyAction
PolicyBranchScope
PolicyEngineKind
Which kind of policy file the caller is loading. Drives the load-time validation that catches a “wrong action in wrong file” mistake — a graph policy with graph_list rules, or a server policy with read rules, both compile silently as Cedar but never match any actual request. Typing the loader makes the mistake a load-time error.
PolicyError
Engine-layer policy enforcement error. Denied is the normal “policy said no” path; Internal covers evaluation failures (malformed rule, Cedar internal error, etc.).
PolicyExpectation
PolicyResourceKind
Which Cedar entity an action’s policies apply to. Internal to omnigraph-policy — drives the compile_policy_source template and the request-time resource UID construction.
ResourceScope
Resource scope for a policy decision. Branch-grained on purpose — per-type / per-row granularity is owned by the query-layer (MR-725).

Traits§

PolicyChecker
Engine-layer policy enforcement trait. Implemented by PolicyEngine (Cedar-backed) and any mock checker used in tests.