Crate vellaveto_engine

Modules§

abac: ABAC (Attribute-Based Access Control) engine — Cedar-style policy evaluation.
adaptive_rate: Adaptive rate limiting — adjusts thresholds based on behavioral patterns.
behavioral: Behavioral anomaly detection for agent tool call patterns (P4.1 / OWASP ASI).
cache: Decision cache for policy evaluation results.
cascading: Cascading failure circuit breakers for multi-hop tool call chains (Phase 62).
circuit_breaker: Circuit breaker for cascading failure protection (OWASP ASI08).
collusion: Multi-agent collusion detection (Phase 62 — OWASP ASI04, ASI07).
coverage: Policy coverage analysis — identifies dead policies and coverage gaps.
deputy: Confused deputy prevention (OWASP ASI02).
impact: Policy Impact Analysis
least_agency: Least-agency enforcement — tracks permission usage per agent session and detects unused permissions for scope narrowing recommendations.
lint: Policy linting and best-practices engine.
wasm_plugin: Wasm policy plugin system for Vellaveto.

CompiledIpRules: Pre-compiled IP access control rules for DNS rebinding protection.
CompiledNetworkRules: Pre-compiled network rule domain patterns for a single policy.
CompiledPathRules: Pre-compiled path rule glob matchers for a single policy.
CompiledPolicy: A policy with all patterns pre-compiled for zero-lock evaluation.
PolicyEngine: The core policy evaluation engine.
PolicyValidationError: Error during policy compilation at load time.

CompiledConstraint: A single pre-compiled parameter constraint with all patterns resolved at load time.
CompiledContextCondition: A pre-compiled context condition for session-level policy evaluation.
CompiledToolMatcher: Pre-compiled tool:function matcher derived from policy ID.
EngineError: Errors that can occur during policy evaluation.
PatternMatcher: Pre-compiled pattern matcher for tool/function ID segments.

DEFAULT_MAX_PATH_DECODE_ITERATIONS: Default maximum percent-decoding iterations for path normalization. Paths requiring more iterations fail-closed with an error.