Policy Engine ID Wispera includes a Cedar-inspired policy engine for declarative credential governance.
Overview Policies define rules that control:
Who can access which credentials
Under what conditions access is allowed
What approval workflows are required
How long credentials can be valid
Policy Structure interface PolicyRule { id : string ; // Unique identifier name : string ; // Human-readable name description : string ; // What this rule enforces condition : { // When the rule applies visaTypes ?: VisaType []; platforms ?: Platform []; maxDelegationDepth ?: number ; requireHumanOwner ?: boolean ; maxValidityDays ?: number ; }; effect : 'allow' | 'deny' | 'require-approval' ; priority ?: number ; // Higher = evaluated first enabled ?: boolean ; }
Default Rules ID Wispera includes sensible defaults out of the box.
These default rules enforce baseline security hygiene. You can override any of them by creating a custom rule with the same id.
const DEFAULT_POLICY_RULES = [ { id: 'require-human-owner' , name: 'Require Human Owner' , description: 'All passports must have a human owner' , condition: { requireHumanOwner: true }, effect: 'deny' , priority: 100 , }, { id: 'max-validity-90-days' , name: 'Maximum Validity Period' , description: 'Credentials should not be valid for more than 90 days' , condition: { maxValidityDays: 90 }, effect: 'deny' , priority: 90 , }, { id: 'max-delegation-depth-3' , name: 'Maximum Delegation Depth' , description: 'Credentials should not be delegated more than 3 levels' , condition: { maxDelegationDepth: 3 }, effect: 'deny' , priority: 80 , }, { id: 'privilege-visa-requires-approval' , name: 'Privileged Access Requires Approval' , condition: { visaTypes: [ 'privilege' ] }, effect: 'require-approval' , priority: 70 , }, ];
Using the Policy Engine Evaluate a Policy import { evaluatePolicy , DEFAULT_POLICY_RULES } from '@id-wispera/core' ; const decision = evaluatePolicy ( passport , 'access' , DEFAULT_POLICY_RULES ); if ( ! decision . allowed ) { console . log ( 'Access denied:' , decision . reason ); }
Validate a Passport import { validatePassport , DEFAULT_POLICY_RULES } from '@id-wispera/core' ; const violations = validatePassport ( passport , DEFAULT_POLICY_RULES ); for ( const v of violations ) { console . log ( ` ${ v . severity } : ${ v . violation } ` ); }
Creating Custom Rules Using createPolicyRule import { createPolicyRule } from '@id-wispera/core' ; const rule = createPolicyRule ({ name: 'Production Credentials Short Expiry' , description: 'Production credentials must expire within 30 days' , condition: { tags: [ 'production' ], maxValidityDays: 30 , }, effect: 'deny' , priority: 95 , });
Using the Fluent Builder import { policy } from '@id-wispera/core' ; const rule = policy ( 'compliance-no-delegation' ) . name ( 'No Delegation for Compliance' ) . description ( 'Compliance credentials cannot be delegated' ) . forVisaTypes ( 'compliance' ) . maxDelegationDepth ( 0 ) . deny () . priority ( 100 ) . build ();
The fluent builder is available in the TypeScript SDK. For Python and Go, use the createPolicyRule / create_policy_rule / CreateRule functions shown above.
Policy Conditions Visa Type Filter Apply a rule only to specific visa types:
condition : { visaTypes : [ 'privilege' , 'compliance' ] }
Apply a rule only to specific platforms:
condition : { platforms : [ 'openai' , 'anthropic' ] }
Scope Filter Apply a rule when specific scopes are present:
condition : { scopes : [ 'admin' , 'delete' ] }
Delegation Depth Limit how many times a credential can be delegated:
condition : { maxDelegationDepth : 2 }
Validity Period Limit how long a credential can be valid:
condition : { maxValidityDays : 30 }
Human Owner Requirement Require a human owner to be set:
condition : { requireHumanOwner : true }
Tag Filter Apply a rule to passports with specific tags:
condition : { tags : [ 'production' , 'sensitive' ] }
Custom Condition For complex logic that cannot be expressed declaratively:
Custom condition functions run in-process and are not serializable. Use them only in programmatic integrations, not in exported policy files.
condition : { custom : ( passport ) => { return passport . scope . length > 10 ; } }
Policy Effects Effect Behavior allowAccess is granted denyAccess is blocked require-approvalAccess needs human approval before it is granted
Merging Policy Sets Combine multiple rule sets into a single evaluation list:
import { mergePolicyRules , DEFAULT_POLICY_RULES } from '@id-wispera/core' ; const customRules = [ /* your rules */ ]; const allRules = mergePolicyRules ( DEFAULT_POLICY_RULES , customRules );
Later rules with the same id override earlier ones. This lets you selectively replace default rules without removing the rest.
Best Practices
Start with defaults and add custom rules as needed.Use high priorities for critical security rules.Test policies before deploying to production.Document rules with clear descriptions.Review periodically to ensure rules are still relevant.Log policy decisions for audit purposes.
Next Steps
Visa types Understand the visa type taxonomy that policies filter on.
Delegation Control how credentials flow between humans and agents.
Audit log Review the decision log produced by policy evaluations.
