Skip to main content

typesec_rbac/
lib.rs

1//! # typesec-rbac
2//!
3//! Role-Based Access Control from YAML → typed policy enforcement.
4//!
5//! ## YAML → Types → Compile-time Safety
6//!
7//! The pipeline has two phases:
8//!
9//! 1. **Runtime**: Parse the YAML policy, build an [`RbacEngine`] that implements
10//!    [`PolicyEngine`]. This handles *dynamic* role assignments and resource globs
11//!    that can't be known at compile time.
12//!
13//! 2. **Codegen** (optional, via `typesec generate`): Emit Rust source code with
14//!    concrete role structs and `Permission` impls. These let the compiler verify
15//!    that your code uses permissions that actually exist in the policy file.
16//!
17//! ## YAML Schema
18//!
19//! ```yaml
20//! roles:
21//!   - name: analyst
22//!     permissions: [read, read_sensitive]
23//!     resources: ["reports/*", "metrics/*"]
24//!   - name: admin
25//!     inherits: [analyst]
26//!     permissions: [write, delete, delegate]
27//!     resources: ["*"]
28//!
29//! assignments:
30//!   - subject: "agent:data-pipeline"
31//!     roles: [analyst]
32//! ```
33
34#![forbid(unsafe_code)]
35#![warn(missing_docs, clippy::all)]
36
37pub mod codegen;
38pub mod engine;
39pub mod graph_policy;
40pub mod model;
41
42pub use engine::RbacEngine;
43pub use graph_policy::GraphPolicyEngine;
44pub use model::{Assignment, RbacPolicy, RoleDefinition};