Module cache 

Decision cache for policy evaluation results.

Provides an LRU-based cache that stores Verdict results keyed by Action identity (tool, function, paths, domains) and optional agent identity. Cached verdicts are invalidated when the policy generation counter is bumped (e.g., on policy reload).

Security

• Context-dependent results are NOT cached. When the EvaluationContext carries session-dependent state (call counts, previous actions, time windows, call chains, capability tokens, session state), the result depends on mutable session state and must be evaluated fresh every time.
• Fail-closed on lock poisoning. If the internal RwLock is poisoned, get returns None (cache miss) and insert is a no-op. This ensures a poisoned cache never serves stale Allow verdicts.
• Bounded memory. The cache enforces MAX_CACHE_ENTRIES and evicts the least-recently-used entry when at capacity.
• Counters use fetch_add. Hit/miss/eviction counters use u64 atomics, which cannot practically overflow (584-year wraparound at 1 GHz increment rate). The LRU access counter uses SeqCst ordering.

Structs

CacheStats

Aggregate cache performance statistics.

DecisionCache

LRU decision cache for policy evaluation results.

Constants

MAX_CACHE_ENTRIES

Absolute upper bound on cache entries to prevent memory exhaustion.

MAX_TTL_SECS

Maximum allowed TTL in seconds (1 hour).

MIN_TTL_SECS

Minimum allowed TTL in seconds.