systemprompt_security/authz/types/
rule.rs

1use serde::{Deserialize, Serialize};
2use systemprompt_identifiers::RuleId;
3
4use super::kinds::{Access, EntityKind, RuleType};
5
6#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, sqlx::FromRow)]
7pub struct AccessRule {
8    pub id: RuleId,
9    pub rule_type: RuleType,
10    pub rule_value: String,
11    pub access: Access,
12    #[serde(default, skip_serializing_if = "Option::is_none")]
13    pub justification: Option<String>,
14}
15
16/// One row from `access_control_entities`.
17///
18/// Owns the per-entity `default_included` flag and a provenance string
19/// identifying which loader pass first registered the entity
20/// (`"profile:<name>"`, `"roles.yaml"`, or `"bootstrap:*"` for rows
21/// promoted from older schemas by a migration).
22/// Callers pair this with [`AccessRule`]s from
23/// `access_control_rules` and hand both to [`crate::authz::resolver::resolve`].
24///
25/// A `None` lookup result means the entity is unknown to access control and
26/// the resolver returns [`super::decision::DenyReason::UnknownEntity`] rather
27/// than the generic `NotAssigned`.
28#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
29pub struct EntityRow {
30    pub kind: EntityKind,
31    pub id: String,
32    pub default_included: bool,
33    pub source: String,
34}
systemprompt_security/authz/types/rule.rs

systemprompt_security/authz/types/
rule.rs
