Module policy

rustchain

Module policy 

Source
Expand description

§Policy Engine

Rule-based access control and policy enforcement for RustChain missions.

The policy engine provides fine-grained control over what actions can be performed, by whom, when, and under what conditions.

§Features

  • Rule-based access control: Define allow/deny rules with conditions
  • Time-based policies: Enforce business hours, maintenance windows
  • Resource limits: Control what resources can be accessed
  • Hierarchical rules: Priority-based rule evaluation
  • Audit integration: All policy decisions are logged

§Example

use rustchain::policy::{EnhancedPolicyEngine, PolicyRule, PolicyEffect, PolicyCondition, ConditionOperator};
use rustchain::policy::PolicyContext;

let mut engine = EnhancedPolicyEngine::new();

// Allow file creation during business hours only
let rule = PolicyRule {
    id: "business-hours-files".to_string(),
    name: "Allow file operations during business hours".to_string(),
    description: "Business hours file access".to_string(),
    effect: PolicyEffect::Allow,
    actions: vec!["CreateFile".to_string()],
    conditions: vec![
        PolicyCondition {
            field: "time_of_day".to_string(),
            operator: ConditionOperator::GreaterThan,
            value: serde_json::json!(8),
        },
        PolicyCondition {
            field: "time_of_day".to_string(),
            operator: ConditionOperator::LessThan,
            value: serde_json::json!(18),
        },
    ],
    priority: 100,
};

engine.add_rule(rule).unwrap();

// Evaluate policy
let context = PolicyContext {
    agent_id: "alice".to_string(),
    timestamp: Some(chrono::Utc::now()),
    metadata: std::collections::HashMap::new(),
};
let decision = engine.evaluate_action("CreateFile", &context);

§Policy Decision Flow

  1. Rule Matching: Find all rules matching the request
  2. Condition Evaluation: Check time windows, resource patterns
  3. Priority Ordering: Higher priority rules take precedence
  4. Effect Determination: Allow or Deny based on matching rules
  5. Default Effect: If no rules match, use default (usually Deny)

§Integration

The policy engine integrates with the RuntimeContext for mission validation:

use rustchain::core::RuntimeContext;

let ctx = RuntimeContext::new();
let policy = ctx.policy_engine.clone();

// Policy engine is shared across all mission executions

Structs§

EnhancedPolicyEngine
Enhanced policy engine with rule-based access control
PolicyCondition
Policy condition for fine-grained control
PolicyContext
Policy evaluation context
PolicyDecision
Policy decision result
PolicyEngine
Legacy PolicyEngine for backward compatibility
PolicyRule
Policy rule definition

Enums§

ConditionOperator
Condition operators
PolicyEffect
Policy effect (allow or deny)

Functions§

create_default_policies
Create default policy rules