Policy Engine

A Cedar-inspired policy engine that evaluates rules against passports before credential access. Rules have conditions, effects (allow, deny, require-approval), and priorities.

Evaluation

`evaluatePolicy(passport, action, rules?)`

Evaluate all rules against a passport for a given action. Rules are sorted by priority. First matching deny wins, then require-approval, then allow.

passport

Passport

required

The passport to evaluate.

action

string

required

The action being performed (e.g., 'read', 'exec', 'share').

rules

PolicyRule[]

Rules to evaluate. Defaults to DEFAULT_POLICY_RULES.

Returns: PolicyDecision — { allowed: boolean, effect: PolicyEffect, rules: PolicyRule[] }

import { evaluatePolicy } from '@id-wispera/core';

const decision = evaluatePolicy(passport, 'exec');
if (!decision.allowed) {
  console.log('Denied by:', decision.rules.map(r => r.name));
}

`validatePassport(passport, rules?)`

Run all policy predicates against a passport and return a list of violations. Returns: ValidationResult[]

Default Rules

Rule	Effect	Description
`require-human-owner`	deny	Every passport must have a human owner
`max-validity-90-days`	deny	Passports cannot be valid for more than 90 days
`max-delegation-depth-3`	deny	Delegation chains cannot exceed 3 hops
`privilege-visa-requires-approval`	require-approval	Privilege visas need explicit approval

PolicyBuilder

Fluent API for creating custom rules:

import { policy } from '@id-wispera/core';

const rule = policy('no-prod-sharing')
  .name('Block production credential sharing')
  .description('Prevent sharing of production credentials')
  .forVisaTypes('privilege', 'data')
  .deny()
  .priority(100)
  .build();

Builder Methods

Method	Description
`.name(name)`	Human-readable rule name
`.description(desc)`	Rule description
`.forVisaTypes(...types)`	Filter by visa type
`.forPlatforms(...platforms)`	Filter by platform
`.forCredentialTypes(...types)`	Filter by credential type
`.requireHumanOwner()`	Require human owner condition
`.maxDelegationDepth(n)`	Max delegation chain depth
`.maxValidityDays(n)`	Max validity period in days
`.withCustomCondition(fn)`	Custom predicate function
`.deny()`	Set effect to deny
`.requireApproval()`	Set effect to require-approval
`.allow()`	Set effect to allow
`.priority(n)`	Rule priority (higher = evaluated first)
`.disabled()`	Create rule in disabled state
`.build()`	Build and validate the rule

Predicates

Standalone functions for checking individual conditions:

hasValidHumanOwner(passport) — Has a non-empty humanOwner
isWithinValidityPeriod(passport) — Not expired
hasExcessiveDelegation(passport, maxDepth?) — Delegation chain exceeds depth
hasBroadScope(passport, maxScopes?) — Too many scopes
hasPrivilegedAccess(passport) — Is a privilege or compliance visa

SDK Reference

​Policy Engine

​Evaluation

​evaluatePolicy(passport, action, rules?)

​validatePassport(passport, rules?)

​Default Rules

​PolicyBuilder

​Builder Methods

​Predicates