API reference
policy(options) creates a Layeron Policy module for authorization decisions, redaction rules, and audit metadata.
Import
Section titled “Import”import { policy } from "@layeron/modules"policy
Section titled “policy”Create a Layeron Policy module for authorization, redaction, and audit metadata.
policy(options?: PolicyModuleOptions): PolicyModulePolicyModule
Section titled “PolicyModule”Layeron Policy module returned by policy(options).
| Field | Type | Description |
|---|---|---|
name | ”policy” | Module name. |
config | PolicyModuleOptions | Normalized Policy module configuration. |
observability | Layeron.Observability.ObservabilityConfig | undefined | Effective observability policy recorded on the module declaration. |
PolicyModuleOptions
Section titled “PolicyModuleOptions”Options accepted by policy(options).
| Field | Type | Description |
|---|---|---|
name | string | undefined | Stable Policy instance name. Defaults to default. |
namespace | string | undefined | Platform namespace for the instance. Defaults to default. |
databaseName | string | undefined | Layeron Database product instance name used for Policy state. |
binding | string | undefined | Runtime binding name used for Policy state. |
defaultDecision | ”allow” | “deny” | undefined | Decision returned when no rule matches. Defaults to deny. |
rules | PolicyRule[] | undefined | Authorization rules evaluated by this Policy instance. |
redaction | PolicyRedactionRule[] | undefined | Redaction rules available through redactionPolicy(). |
audit | PolicyAuditOptions | undefined | Audit settings for Policy decisions. |
observability | Layeron.Observability.ObservabilityConfig | undefined | Observability settings for policy decisions, denials, and audit events. |
PolicyRule
Section titled “PolicyRule”Authorization rule evaluated by Policy.
| Field | Type | Description |
|---|---|---|
id | string | Stable rule id used in decisions and audit records. |
effect | PolicyEffect | Decision produced when the rule matches. |
actions | string[] | Action patterns matched against the requested action. |
resources | string[] | Resource patterns matched against type:id. |
subjects | string[] | undefined | Subject patterns matched against kind, kind:id, role, or scope. |
conditions | PolicyCondition | undefined | Additional match requirements for the rule. |
priority | int32 | undefined | Rule priority. Higher priority rules are evaluated first. |
description | string | undefined | Human-readable rule description. |
PolicyCondition
Section titled “PolicyCondition”Extra match requirements for a Policy rule.
| Field | Type | Description |
|---|---|---|
tenant | ”match” | undefined | Require the subject tenant to match the resource or context tenant. |
owner | ”subject” | undefined | Require the resource owner id to match the subject id. |
requiredRoles | string[] | undefined | Require the subject to include every listed role. |
requiredScopes | string[] | undefined | Require the subject to include every listed scope. |
PolicyRedactionRule
Section titled “PolicyRedactionRule”Rule that selects fields or headers for redaction.
| Field | Type | Description |
|---|---|---|
id | string | Stable redaction rule id. |
target | ”log” | “observability” | “all” | Runtime surface where the redaction rule applies. |
fields | string[] | undefined | Structured field names to redact. |
headers | string[] | undefined | Header names to redact. |
description | string | undefined | Human-readable redaction rule description. |
PolicyAuditOptions
Section titled “PolicyAuditOptions”Audit settings for Policy decisions.
| Field | Type | Description |
|---|---|---|
decisions | boolean | undefined | Record all Policy decisions when enabled. |
denies | boolean | undefined | Record denied Policy decisions when enabled. Defaults to true. |
PolicySubject
Section titled “PolicySubject”Subject that asks to perform a Policy action.
| Field | Type | Description |
|---|---|---|
kind | PolicySubjectKind | Subject kind used for matching and audit records. |
id | string | undefined | Stable subject id. |
roles | string[] | undefined | Roles attached to the subject. |
scopes | string[] | undefined | Scopes attached to the subject. |
tenantId | string | undefined | Tenant id associated with the subject. |
attributes | Record<unknown> | undefined | Additional structured subject attributes. |
PolicyResource
Section titled “PolicyResource”Resource targeted by a Policy action.
| Field | Type | Description |
|---|---|---|
type | string | Resource type used in rule resource patterns. |
id | string | Stable resource id used in rule resource patterns. |
tenantId | string | undefined | Tenant id associated with the resource. |
ownerId | string | undefined | Subject id that owns the resource. |
attributes | Record<unknown> | undefined | Additional structured resource attributes. |
PolicyContext
Section titled “PolicyContext”Context attached to a Policy evaluation.
| Field | Type | Description |
|---|---|---|
workspaceId | string | undefined | Workspace id associated with the evaluation. |
projectId | string | undefined | Project id associated with the evaluation. |
environmentId | string | undefined | Environment id associated with the evaluation. |
moduleId | string | undefined | Module id associated with the evaluation. |
requestId | string | undefined | Request id associated with the evaluation. |
traceId | string | undefined | Trace id associated with the evaluation. |
tenantId | string | undefined | Tenant id associated with the evaluation. |
attributes | Record<unknown> | undefined | Additional structured evaluation attributes. |
PolicyEvaluateInput
Section titled “PolicyEvaluateInput”Input accepted by Policy evaluation.
| Field | Type | Description |
|---|---|---|
subject | PolicySubject | Subject requesting the action. |
action | string | Action string matched against rule action patterns. |
resource | PolicyResource | Resource targeted by the action. |
context | PolicyContext | undefined | Optional context attached to the evaluation. |
PolicyDecision
Section titled “PolicyDecision”Decision returned by Policy evaluation.
| Field | Type | Description |
|---|---|---|
decision | ”allow” | “deny” | Final allow or deny result. |
reason | string | Human-readable reason for the decision. |
matchedRuleIds | string[] | Rule ids that matched the evaluation input. |
PolicyEffect
Section titled “PolicyEffect”Decision effect produced by a Policy rule.
| Value | Description |
|---|---|
allow | Allow the matching action. |
deny | Deny the matching action. |
PolicySubjectKind
Section titled “PolicySubjectKind”Kind of subject evaluated by Policy.
| Value | Description |
|---|---|
anonymous | Unauthenticated or unidentified caller. |
user | End user subject. |
service | Service-to-service subject. |
admin | Administrative subject. |
module | Layeron module subject. |
product | Layeron product subject. |
system | Layeron system subject. |
Operations
Section titled “Operations”evaluate
Section titled “evaluate”Evaluate one subject, action, resource, and context against Policy rules.
evaluate(input: PolicyEvaluateInput): PolicyDecisionTypeScript module methods
Section titled “TypeScript module methods”| Method | Description |
|---|---|
redactionPolicy() | Build an observability redaction policy from policy redaction rules. |