domainforge 0.13.0

package/domainforge-core/src/authority/resolver.rs

@@ -0,0 +1,446 @@
+use super::error::AuthorityError;
+use super::pack::AuthorityPack;
+use super::policy::*;
+use super::types::*;
+
+#[derive(Debug, Clone)]
+pub struct PolicyEvaluation {
+    pub policy: AuthorityPolicy,
+    pub condition_result: ThreeValuedResult,
+    pub fact_check_results: Vec<(FactRequirement, bool, Option<FactEnvelope>)>,
+    pub unknown_handling_applied: bool,
+    pub unknown_handling_result: Option<FinalDecision>,
+    pub unknown_decision: Option<UnknownDecision>,
+}
+
+pub struct AuthorityResolver {
+    unknown_handling: UnknownHandlingConfig,
+    specificity_profile: SpecificityProfile,
+    strict_mode: bool,
+    semantics_version: String,
+    compatibility_version: String,
+}
+
+impl AuthorityResolver {
+    pub fn new(
+        unknown_handling: UnknownHandlingConfig,
+        specificity_profile: SpecificityProfile,
+        strict_mode: bool,
+        semantics_version: String,
+        compatibility_version: String,
+    ) -> Self {
+        Self {
+            unknown_handling,
+            specificity_profile,
+            strict_mode,
+            semantics_version,
+            compatibility_version,
+        }
+    }
+
+    pub fn resolve(
+        &self,
+        request: &AuthorityRequest,
+        packs: &[AuthorityPack],
+        facts: &[FactEnvelope],
+        fact_trust_decisions: &[FactTrustDecision],
+        _derived_lineages: &[DerivedFactLineage],
+    ) -> Result<ResolverOutput, AuthorityError> {
+        request.validate()?;
+
+        let all_policies: Vec<&AuthorityPolicy> =
+            packs.iter().flat_map(|p| p.policies.iter()).collect();
+
+        let candidates: Vec<&AuthorityPolicy> = all_policies
+            .into_iter()
+            .filter(|p| p.is_candidate(request))
+            .collect();
+
+        if candidates.is_empty() {
+            return Ok(ResolverOutput {
+                decision_id: generate_decision_id(),
+                final_decision: FinalDecision::NotApplicable,
+                reason_code: "no_applicable_policy".to_string(),
+                candidate_policies: vec![],
+                applicable_policies: vec![],
+                incomparable_policies: vec![],
+                evaluations: vec![],
+                conflict_resolution_steps: vec![],
+            });
+        }
+
+        let mut evaluations = Vec::new();
+        for policy in &candidates {
+            let fact_checks = policy.check_fact_requirements(facts, &chrono::Utc::now());
+            let all_facts_satisfied = fact_checks.iter().all(|(_, satisfied, _)| *satisfied);
+
+            let condition_result = if !all_facts_satisfied {
+                ThreeValuedResult::Unknown
+            } else {
+                policy.evaluate_conditions(facts)?
+            };
+
+            let unknown_handling_applied = condition_result == ThreeValuedResult::Unknown;
+            let (unknown_handling_result, unknown_decision) = if unknown_handling_applied {
+                let default = self.unknown_handling.for_modality(&policy.modality);
+                let unsatisfied_facts: Vec<String> = fact_checks
+                    .iter()
+                    .filter(|(_, s, _)| !s)
+                    .map(|(r, _, _)| r.fact_path.clone())
+                    .collect();
+                let ud = UnknownDecision {
+                    policy_id: policy.policy_id.clone(),
+                    unknown_handling_applied: true,
+                    unknown_modality: policy.modality,
+                    unknown_default_result: default,
+                    unknown_reason: classify_unknown_reason(&fact_checks, fact_trust_decisions),
+                    affected_fact_paths: unsatisfied_facts,
+                    fact_source_ids: vec![],
+                    availability_classification: classify_availability(&fact_checks),
+                    operator_action_hint: None,
+                };
+                (Some(default), Some(ud))
+            } else {
+                (None, None)
+            };
+
+            evaluations.push(PolicyEvaluation {
+                policy: (*policy).clone(),
+                condition_result,
+                fact_check_results: fact_checks,
+                unknown_handling_applied,
+                unknown_handling_result,
+                unknown_decision,
+            });
+        }
+
+        let applicable: Vec<&PolicyEvaluation> = evaluations
+            .iter()
+            .filter(|e| {
+                if matches!(e.condition_result, ThreeValuedResult::True) {
+                    return true;
+                }
+                if e.unknown_handling_applied {
+                    return e.unknown_handling_result != Some(FinalDecision::NotApplicable);
+                }
+                false
+            })
+            .collect();
+
+        if applicable.is_empty() {
+            return Ok(ResolverOutput {
+                decision_id: generate_decision_id(),
+                final_decision: FinalDecision::NotApplicable,
+                reason_code: "no_applicable_policy_after_evaluation".to_string(),
+                candidate_policies: candidates
+                    .into_iter()
+                    .map(|p| p.policy_id.clone())
+                    .collect(),
+                applicable_policies: vec![],
+                incomparable_policies: vec![],
+                evaluations,
+                conflict_resolution_steps: vec![],
+            });
+        }
+
+        let (final_decision, conflict_steps) = self.resolve_conflicts(&applicable)?;
+
+        let decision_id = generate_decision_id();
+        let reason_code = format!(
+            "{}_by_{}",
+            match final_decision {
+                FinalDecision::Allow => "allowed",
+                FinalDecision::Deny => "denied",
+                FinalDecision::Escalate => "escalated",
+                FinalDecision::NotApplicable => "not_applicable",
+                FinalDecision::Reject => "rejected",
+            },
+            conflict_steps
+                .last()
+                .map(|s| s.policy_id.clone())
+                .unwrap_or_else(|| "resolver".to_string())
+        );
+
+        Ok(ResolverOutput {
+            decision_id,
+            final_decision,
+            reason_code,
+            candidate_policies: candidates
+                .into_iter()
+                .map(|p| p.policy_id.clone())
+                .collect(),
+            applicable_policies: applicable
+                .iter()
+                .map(|e| e.policy.policy_id.clone())
+                .collect(),
+            incomparable_policies: vec![],
+            evaluations,
+            conflict_resolution_steps: conflict_steps,
+        })
+    }
+
+    fn resolve_conflicts(
+        &self,
+        applicable: &[&PolicyEvaluation],
+    ) -> Result<(FinalDecision, Vec<ConflictResolutionStep>), AuthorityError> {
+        if applicable.len() == 1 {
+            let ev = applicable[0];
+            let decision = if ev.unknown_handling_applied {
+                ev.unknown_handling_result
+                    .unwrap_or(FinalDecision::NotApplicable)
+            } else {
+                modality_to_decision(&ev.policy.modality, ev.condition_result)
+            };
+            return Ok((
+                decision,
+                vec![ConflictResolutionStep {
+                    step: "single_applicable".to_string(),
+                    policy_id: ev.policy.policy_id.clone(),
+                    result: format!("{:?}", decision),
+                }],
+            ));
+        }
+
+        // Step 6: Apply modality precedence (spec §10.8)
+        // Default: Reject > Deny > Escalate > Allow > NotApplicable
+        let mut best_modality_rank = 0u8;
+        for ev in applicable {
+            let rank = modality_precedence_rank(&ev.policy.modality);
+            best_modality_rank = best_modality_rank.max(rank);
+        }
+
+        let modal_filtered: Vec<&&PolicyEvaluation> = applicable
+            .iter()
+            .filter(|e| modality_precedence_rank(&e.policy.modality) == best_modality_rank)
+            .collect();
+
+        let mut steps = vec![ConflictResolutionStep {
+            step: "modality_precedence".to_string(),
+            policy_id: modal_filtered
+                .iter()
+                .map(|e| e.policy.policy_id.clone())
+                .collect::<Vec<_>>()
+                .join(","),
+            result: format!("modality_rank={}", best_modality_rank),
+        }];
+
+        if modal_filtered.len() == 1 {
+            let ev = *modal_filtered[0];
+            let decision = compute_eval_decision(ev);
+            steps.push(ConflictResolutionStep {
+                step: "modality_resolved".to_string(),
+                policy_id: ev.policy.policy_id.clone(),
+                result: format!("{:?}", decision),
+            });
+            return Ok((decision, steps));
+        }
+
+        // Step 7: Apply priority
+        let mut best_priority = i32::MIN;
+        for ev in &modal_filtered {
+            best_priority = best_priority.max(ev.policy.priority);
+        }
+
+        let top_priority: Vec<&PolicyEvaluation> = modal_filtered
+            .iter()
+            .filter(|e| e.policy.priority == best_priority)
+            .map(|e| **e)
+            .collect();
+
+        steps.push(ConflictResolutionStep {
+            step: "priority_filter".to_string(),
+            policy_id: top_priority
+                .iter()
+                .map(|e| e.policy.policy_id.clone())
+                .collect::<Vec<_>>()
+                .join(","),
+            result: format!("priority={}", best_priority),
+        });
+
+        if top_priority.len() == 1 {
+            let ev = top_priority[0];
+            let decision = compute_eval_decision(ev);
+            steps.push(ConflictResolutionStep {
+                step: "highest_priority".to_string(),
+                policy_id: ev.policy.policy_id.clone(),
+                result: format!("{:?}", decision),
+            });
+            return Ok((decision, steps));
+        }
+
+        let mut dominated = vec![false; top_priority.len()];
+        for i in 0..top_priority.len() {
+            if dominated[i] {
+                continue;
+            }
+            for j in 0..top_priority.len() {
+                if i == j || dominated[j] {
+                    continue;
+                }
+                let vec_i = top_priority[i]
+                    .policy
+                    .compute_specificity(&self.specificity_profile);
+                let vec_j = top_priority[j]
+                    .policy
+                    .compute_specificity(&self.specificity_profile);
+                match vec_i.compare(&vec_j) {
+                    SpecificityComparison::AMoreSpecific => {
+                        dominated[j] = true;
+                    }
+                    SpecificityComparison::BMoreSpecific => {
+                        dominated[i] = true;
+                    }
+                    SpecificityComparison::Equal | SpecificityComparison::Incomparable => {}
+                }
+            }
+        }
+
+        let non_dominated: Vec<&PolicyEvaluation> = top_priority
+            .iter()
+            .enumerate()
+            .filter(|(i, _)| !dominated[*i])
+            .map(|(_, e)| *e)
+            .collect();
+
+        if non_dominated.len() == 1 {
+            let ev = non_dominated[0];
+            let decision = compute_eval_decision(ev);
+            steps.push(ConflictResolutionStep {
+                step: "specificity_resolved".to_string(),
+                policy_id: ev.policy.policy_id.clone(),
+                result: format!("{:?}", decision),
+            });
+            return Ok((decision, steps));
+        }
+
+        steps.push(ConflictResolutionStep {
+            step: "specificity_incomparable".to_string(),
+            policy_id: non_dominated
+                .iter()
+                .map(|e| e.policy.policy_id.clone())
+                .collect::<Vec<_>>()
+                .join(","),
+            result: "incomparable".to_string(),
+        });
+
+        if self.strict_mode {
+            let ids: Vec<String> = non_dominated
+                .iter()
+                .map(|e| e.policy.policy_id.clone())
+                .collect();
+            Err(AuthorityError::specificity_conflict(
+                &ids[0],
+                ids.get(1).map(|s| s.as_str()).unwrap_or("?"),
+            ))
+        } else {
+            Ok((FinalDecision::Escalate, steps))
+        }
+    }
+
+    pub fn validate_versions(
+        &self,
+        semantics_version: &str,
+        compatibility_version: &str,
+    ) -> Result<(), AuthorityError> {
+        if self.semantics_version != semantics_version {
+            return Err(AuthorityError::invalid_environment(format!(
+                "Resolver semantics version '{}' does not match configured semantics version '{}'",
+                self.semantics_version, semantics_version
+            )));
+        }
+        if self.compatibility_version != compatibility_version {
+            return Err(AuthorityError::invalid_environment(format!(
+                "Resolver compatibility version '{}' does not match configured compatibility lowering version '{}'",
+                self.compatibility_version, compatibility_version
+            )));
+        }
+        Ok(())
+    }
+}
+
+fn modality_to_decision(modality: &PolicyModality, condition: ThreeValuedResult) -> FinalDecision {
+    match (modality, condition) {
+        (PolicyModality::Permission, ThreeValuedResult::True) => FinalDecision::Allow,
+        (PolicyModality::Prohibition, ThreeValuedResult::True) => FinalDecision::Deny,
+        (PolicyModality::Obligation, ThreeValuedResult::True) => FinalDecision::Allow,
+        (PolicyModality::Override, ThreeValuedResult::True) => FinalDecision::Allow,
+        _ => FinalDecision::NotApplicable,
+    }
+}
+
+fn modality_precedence_rank(modality: &PolicyModality) -> u8 {
+    match modality {
+        PolicyModality::Override => 5,
+        PolicyModality::Prohibition => 4,
+        PolicyModality::Obligation => 3,
+        PolicyModality::Permission => 2,
+    }
+}
+
+fn compute_eval_decision(ev: &PolicyEvaluation) -> FinalDecision {
+    if ev.unknown_handling_applied {
+        ev.unknown_handling_result
+            .unwrap_or(FinalDecision::NotApplicable)
+    } else {
+        modality_to_decision(&ev.policy.modality, ev.condition_result)
+    }
+}
+
+fn classify_unknown_reason(
+    fact_checks: &[(FactRequirement, bool, Option<FactEnvelope>)],
+    trust_decisions: &[FactTrustDecision],
+) -> String {
+    for (req, satisfied, envelope) in fact_checks {
+        if !satisfied {
+            if envelope.is_none() {
+                return "missing".to_string();
+            }
+            if let Some(env) = envelope {
+                if env.is_caller_supplied() {
+                    return "caller_omission".to_string();
+                }
+            }
+            for td in trust_decisions {
+                if td.fact_path == req.fact_path && !td.trusted {
+                    return td.reason.clone();
+                }
+            }
+        }
+    }
+    "unknown".to_string()
+}
+
+fn classify_availability(fact_checks: &[(FactRequirement, bool, Option<FactEnvelope>)]) -> String {
+    for (_req, satisfied, envelope) in fact_checks {
+        if !satisfied {
+            if envelope.is_none() {
+                return "caller_omission".to_string();
+            }
+            if let Some(env) = envelope {
+                if env.source_class == SourceClass::CallerSupplied {
+                    return "caller_omission".to_string();
+                }
+            }
+        }
+    }
+    "availability_failure".to_string()
+}
+
+#[derive(Debug, Clone)]
+pub struct ConflictResolutionStep {
+    pub step: String,
+    pub policy_id: String,
+    pub result: String,
+}
+
+#[derive(Debug, Clone)]
+pub struct ResolverOutput {
+    pub decision_id: String,
+    pub final_decision: FinalDecision,
+    pub reason_code: String,
+    pub candidate_policies: Vec<String>,
+    pub applicable_policies: Vec<String>,
+    pub incomparable_policies: Vec<String>,
+    pub evaluations: Vec<PolicyEvaluation>,
+    pub conflict_resolution_steps: Vec<ConflictResolutionStep>,
+}

package/domainforge-core/src/authority/trace.rs

@@ -0,0 +1,217 @@
+use chrono::Utc;
+use serde::{Deserialize, Serialize};
+use std::sync::{Arc, Mutex};
+
+use super::error::AuthorityError;
+use super::pack::AuthorityPack;
+use super::resolver::{ConflictResolutionStep, ResolverOutput};
+use super::types::*;
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct AuthorityTrace {
+    pub decision_id: String,
+    pub request_id: String,
+    pub ir_hash: String,
+    pub pack_hashes: Vec<String>,
+    pub resolver_version: String,
+    pub resolver_semantics_version: String,
+    pub resolver_semantics_hash: String,
+    pub specificity_profile_id: String,
+    pub specificity_profile_hash: String,
+    pub specificity_profile_source: String,
+    pub specificity_profile_conflicts: Vec<String>,
+    pub unknown_handling_config_hash: String,
+    pub compatibility_lowering_version: String,
+    pub action_request_hash: String,
+    pub fact_envelopes: Vec<FactEnvelopeSummary>,
+    pub fact_trust_decisions: Vec<FactTrustDecision>,
+    pub derived_fact_lineage: Vec<DerivedFactLineage>,
+    pub candidate_policies: Vec<String>,
+    pub applicable_policies: Vec<String>,
+    pub incomparable_policies: Vec<String>,
+    pub unknown_decisions: Vec<UnknownDecision>,
+    pub compatibility_lowering_decisions: Vec<CompatibilityLoweringDecision>,
+    pub conflict_resolution_steps: Vec<ConflictStepRecord>,
+    pub final_decision: FinalDecision,
+    pub claim_level: ClaimLevel,
+    pub validation_suite_ref: Option<String>,
+    pub created_at: String,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct FactEnvelopeSummary {
+    pub path: String,
+    pub source_class: SourceClass,
+    pub source_id: String,
+    pub trusted: bool,
+}
+
+impl From<&FactEnvelope> for FactEnvelopeSummary {
+    fn from(f: &FactEnvelope) -> Self {
+        Self {
+            path: f.path.clone(),
+            source_class: f.source_class,
+            source_id: f.source_id.clone(),
+            trusted: f.is_trusted(),
+        }
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ConflictStepRecord {
+    pub step: String,
+    pub policy_id: String,
+    pub result: String,
+}
+
+impl From<&ConflictResolutionStep> for ConflictStepRecord {
+    fn from(s: &ConflictResolutionStep) -> Self {
+        Self {
+            step: s.step.clone(),
+            policy_id: s.policy_id.clone(),
+            result: s.result.clone(),
+        }
+    }
+}
+
+pub struct AuthorityTraceEmitter {
+    resolver_version: String,
+    semantics_version: String,
+    compatibility_version: String,
+    evidence_sink: EvidenceSink,
+    memory_store: Arc<Mutex<Vec<AuthorityTrace>>>,
+}
+
+pub enum EvidenceSink {
+    Memory,
+    Discard,
+}
+
+impl AuthorityTraceEmitter {
+    pub fn new(
+        resolver_version: String,
+        semantics_version: String,
+        compatibility_version: String,
+        evidence_sink: EvidenceSink,
+    ) -> Self {
+        Self {
+            resolver_version,
+            semantics_version,
+            compatibility_version,
+            evidence_sink,
+            memory_store: Arc::new(Mutex::new(Vec::new())),
+        }
+    }
+
+    pub fn get_traces(&self) -> Vec<AuthorityTrace> {
+        self.memory_store
+            .lock()
+            .map(|s| s.clone())
+            .unwrap_or_default()
+    }
+
+    pub fn clear_traces(&self) {
+        if let Ok(mut s) = self.memory_store.lock() {
+            s.clear();
+        }
+    }
+
+    #[allow(clippy::too_many_arguments)]
+    pub fn emit(
+        &self,
+        request: &AuthorityRequest,
+        packs: &[AuthorityPack],
+        facts: &[FactEnvelope],
+        fact_trust_decisions: &[FactTrustDecision],
+        derived_lineages: &[DerivedFactLineage],
+        output: &ResolverOutput,
+        specificity_profile: &SpecificityProfile,
+        unknown_handling: &UnknownHandlingConfig,
+        compatibility_decisions: &[CompatibilityLoweringDecision],
+    ) -> Result<(AuthorityTrace, AuthorityDecision), AuthorityError> {
+        let trace = AuthorityTrace {
+            decision_id: output.decision_id.clone(),
+            request_id: request.request_id.clone(),
+            ir_hash: compute_hash(
+                &serde_json::to_string(&output.candidate_policies).unwrap_or_default(),
+            ),
+            pack_hashes: packs.iter().map(|p| p.hash.clone()).collect(),
+            resolver_version: self.resolver_version.clone(),
+            resolver_semantics_version: self.semantics_version.clone(),
+            resolver_semantics_hash: compute_hash(&self.semantics_version),
+            specificity_profile_id: specificity_profile.id.clone(),
+            specificity_profile_hash: specificity_profile.hash.clone(),
+            specificity_profile_source: "environment".to_string(),
+            specificity_profile_conflicts: vec![],
+            unknown_handling_config_hash: compute_hash(
+                &serde_json::to_string(unknown_handling).unwrap_or_default(),
+            ),
+            compatibility_lowering_version: self.compatibility_version.clone(),
+            action_request_hash: compute_hash(&request.action_hash_input()),
+            fact_envelopes: facts.iter().map(FactEnvelopeSummary::from).collect(),
+            fact_trust_decisions: fact_trust_decisions.to_vec(),
+            derived_fact_lineage: derived_lineages.to_vec(),
+            candidate_policies: output.candidate_policies.clone(),
+            applicable_policies: output.applicable_policies.clone(),
+            incomparable_policies: output.incomparable_policies.clone(),
+            unknown_decisions: output
+                .evaluations
+                .iter()
+                .filter_map(|e| e.unknown_decision.clone())
+                .collect(),
+            compatibility_lowering_decisions: compatibility_decisions.to_vec(),
+            conflict_resolution_steps: output
+                .conflict_resolution_steps
+                .iter()
+                .map(ConflictStepRecord::from)
+                .collect(),
+            final_decision: output.final_decision,
+            claim_level: ClaimLevel::AuditBacked,
+            validation_suite_ref: None,
+            created_at: Utc::now().to_rfc3339(),
+        };
+
+        match self.persist_trace(&trace) {
+            Ok(()) => {}
+            Err(_) => {
+                if matches!(output.final_decision, FinalDecision::Allow) {
+                    return Err(AuthorityError::trace_persistence_failure(
+                        "Cannot confirm high-impact decision without trace persistence",
+                    ));
+                }
+            }
+        }
+
+        let decision = AuthorityDecision {
+            decision_id: output.decision_id.clone(),
+            request_id: request.request_id.clone(),
+            final_decision: output.final_decision,
+            reason_code: output.reason_code.clone(),
+            trace_ref: output.decision_id.clone(),
+            operator_action_hint: output
+                .evaluations
+                .iter()
+                .filter_map(|e| e.unknown_decision.as_ref())
+                .filter_map(|ud| ud.operator_action_hint.clone())
+                .next(),
+        };
+
+        Ok((trace, decision))
+    }
+
+    fn persist_trace(&self, trace: &AuthorityTrace) -> Result<(), AuthorityError> {
+        match self.evidence_sink {
+            EvidenceSink::Memory => {
+                let mut store = self.memory_store.lock().map_err(|e| {
+                    AuthorityError::new(
+                        super::error::AuthorityErrorCode::TracePersistenceFailure,
+                        format!("Mutex poisoned: {}", e),
+                    )
+                })?;
+                store.push(trace.clone());
+                Ok(())
+            }
+            EvidenceSink::Discard => Ok(()),
+        }
+    }
+}