Enforcement Pipeline
Every request passes through an 8-stage pipeline. Each stage can block the request.
Request
│
▼
┌──────────────┐
│ 1. Allowlist │ capability exists? URL matches pattern?
└──────────────┘
│
▼
┌──────────────┐
│ 2. Rate Limit│ token bucket check
└──────────────┘
│
▼
┌──────────────┐
│ 3. Taint │ data flow labels violate deny rules?
└──────────────┘
│
▼
┌──────────────┐
│ 4. Approval │ human sign-off required?
└──────────────┘
│
▼
┌──────────────┐
│ 5. Secret │ inject ${VAR} into headers
└──────────────┘
│
▼
┌──────────────┐
│ 6. Execute │ HTTP request to external API
└──────────────┘
│
▼
┌──────────────┐
│ 7. Taint Rec │ label response with taint labels
└──────────────┘
│
▼
┌──────────────┐
│ 8. Audit │ hash-chained, signed log entry
└──────────────┘
│
▼
Response
Stage Details
1. Allowlist
Checks:
- Capability name exists in manifest
- HTTP method matches
- URL matches
url_patternglob - URL not in
url_deny_list - Headers are in
headers_allowedlist
2. Rate Limit
Token bucket algorithm per capability. Configured via rate_limit.requests_per_minute and burst.
3. Taint Check
Examines input data labels. If any label matches a taint_rules.deny_flow.from_labels entry where the current capability is in to_capabilities, the request is blocked.
4. Approval Gate
If requires_approval.threshold is always:
- Create approval request in control plane
- Wait up to
timeout_seconds - If approved, proceed; if denied or timeout with
default_on_timeout: deny, block
5. Secret Injection
Replace ${VAR} placeholders in secret_headers with decrypted secret values.
6. HTTP Execute
Send request to external API via reqwest. TLS verification enabled.
7. Taint Record
Apply capability's taint_labels to response data for future taint checks.
8. Audit Log
Write hash-chained, Ed25519-signed entry to audit log. Includes: sequence number, timestamp, capability, action, outcome.