fix: add EM-DELEGATE to enforcement mode docs#32
Conversation
- Add EM-DELEGATE to config reference table (was missing from the list). - Add EM-DELEGATE step in the enforcement tightening guide. Closes PM hardening review item.
There was a problem hiding this comment.
Pull request overview
Updates the policy enforcement setup guide to include the missing EM-DELEGATE enforcement mode so the documentation reflects the supported enforcement-mode ladder.
Changes:
- Added an
EM-DELEGATEstep in the “External PDP → Tighten Enforcement” section. - Updated the configuration reference to include
EM-DELEGATEas an allowed value forCAPISCIO_ENFORCEMENT_MODE.
| export CAPISCIO_ENFORCEMENT_MODE=EM-DELEGATE | ||
| ``` | ||
|
|
||
| In EM-DELEGATE, DENY decisions block requests and obligations are attempted. Failed obligations are logged but do not block the request (best-effort obligation enforcement). |
There was a problem hiding this comment.
The EM-DELEGATE behavior description is internally contradictory: it says DENY blocks requests, but then says failed obligations “do not block the request”. Since DENY already blocks, this likely intends to describe how obligation failures affect ALLOW decisions (best-effort obligations) while still enforcing DENY. Please reword to explicitly state when obligations are executed and what happens on obligation failure in EM-DELEGATE.
| In EM-DELEGATE, DENY decisions block requests and obligations are attempted. Failed obligations are logged but do not block the request (best-effort obligation enforcement). | |
| In EM-DELEGATE, DENY decisions always block requests. For ALLOW decisions, all attached obligations are executed on a best-effort basis: failures are logged but do not change the ALLOW decision or block the request. |
There was a problem hiding this comment.
Fixed in 7829743. Rewording now explicitly separates DENY blocking from ALLOW obligation handling.
| | `CAPISCIO_ENFORCEMENT_MODE` | `EM-OBSERVE` | One of: `EM-OBSERVE`, `EM-GUARD`, `EM-DELEGATE`, `EM-STRICT` | | ||
| | `CAPISCIO_WORKSPACE` | _(empty)_ | Workspace/tenant UUID (required for embedded PDP) | | ||
| | `CAPISCIO_BUNDLE_POLL_INTERVAL` | `30s` | Embedded PDP bundle rebuild interval | |
There was a problem hiding this comment.
The config reference now lists EM-DELEGATE, but the earlier “Embedded PDP → Step 3: Tighten Enforcement” snippet and the “Bundle Staleness” mode table still only mention EM-OBSERVE, EM-GUARD, and EM-STRICT. To avoid conflicting guidance within the same doc, update those earlier sections to include EM-DELEGATE (and document its staleness behavior if applicable).
There was a problem hiding this comment.
Fixed in 7829743. Added EM-DELEGATE row to the Bundle Staleness behavior table. The Step 3 section already has the EM-DELEGATE code block and explanation from the initial commit.
✅ Documentation Build SuccessfulThe documentation build completed successfully and passed validation checks.
|
- Clarify EM-DELEGATE: DENY always blocks, ALLOW obligations are best-effort - Add EM-DELEGATE row to Bundle Staleness behavior table
✅ Documentation Build SuccessfulThe documentation build completed successfully and passed validation checks.
|
| For stricter obligation handling, use `EM-DELEGATE`: | ||
|
|
||
| ```bash | ||
| export CAPISCIO_ENFORCEMENT_MODE=EM-DELEGATE | ||
| ``` | ||
|
|
||
| In EM-DELEGATE, DENY decisions always block requests. For ALLOW decisions, all attached obligations are executed on a best-effort basis: failures are logged but do not change the ALLOW decision or block the request. | ||
|
|
There was a problem hiding this comment.
The Embedded PDP “Step 3: Tighten Enforcement” code block earlier in this document still lists only EM-OBSERVE, EM-GUARD, and EM-STRICT (no EM-DELEGATE). Since this PR adds EM-DELEGATE to the mode progression, please update that earlier Embedded PDP snippet as well to avoid conflicting guidance within the same doc.
| For stricter obligation handling, use `EM-DELEGATE`: | |
| ```bash | |
| export CAPISCIO_ENFORCEMENT_MODE=EM-DELEGATE | |
| ``` | |
| In EM-DELEGATE, DENY decisions always block requests. For ALLOW decisions, all attached obligations are executed on a best-effort basis: failures are logged but do not change the ALLOW decision or block the request. |
There was a problem hiding this comment.
Fixed in 0c2d1f4. Added EM-DELEGATE to the Embedded PDP Step 3 code block, positioned between EM-GUARD and EM-STRICT in the enforcement mode progression.
✅ Documentation Build SuccessfulThe documentation build completed successfully and passed validation checks.
|
Summary
Adds missing
EM-DELEGATEenforcement mode to the policy enforcement documentation.Changes
EM-OBSERVE, EM-GUARD, EM-STRICTtoEM-OBSERVE, EM-GUARD, EM-DELEGATE, EM-STRICT.Context
EM-DELEGATEis a valid enforcement mode in capiscio-core (RFC-008 §10.5:EM-OBSERVE < EM-GUARD < EM-DELEGATE < EM-STRICT) but was omitted from the docs when the policy enforcement guide was created.