From f8ade084554170b0680c560a84147a5558ec6278 Mon Sep 17 00:00:00 2001 From: Beon de Nood Date: Sat, 21 Mar 2026 08:25:07 -0400 Subject: [PATCH 1/3] fix: add EM-DELEGATE to enforcement mode docs - Add EM-DELEGATE to config reference table (was missing from the list). - Add EM-DELEGATE step in the enforcement tightening guide. Closes PM hardening review item. --- docs/how-to/security/policy-enforcement.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/how-to/security/policy-enforcement.md b/docs/how-to/security/policy-enforcement.md index e68f217..7b1ba0e 100644 --- a/docs/how-to/security/policy-enforcement.md +++ b/docs/how-to/security/policy-enforcement.md @@ -160,6 +160,14 @@ export CAPISCIO_ENFORCEMENT_MODE=EM-GUARD Now PDP DENY decisions block requests with `403 Forbidden`. If the PDP is unavailable, requests are denied with `503 Service Unavailable` (fail-closed). +For stricter obligation handling, use `EM-DELEGATE`: + +```bash +export CAPISCIO_ENFORCEMENT_MODE=EM-DELEGATE +``` + +In EM-DELEGATE, DENY decisions block requests and obligations are attempted. Failed obligations are logged but do not block the request (best-effort obligation enforcement). + For full obligation enforcement, use `EM-STRICT`: ```bash @@ -202,7 +210,7 @@ All PDP-related environment variables: | `CAPISCIO_EMBEDDED_PDP` | `false` | Enable embedded OPA evaluator (in-process PDP) | | `CAPISCIO_PDP_ENDPOINT` | _(empty)_ | External PDP URL. Empty + no embedded PDP = badge-only mode | | `CAPISCIO_PDP_TIMEOUT_MS` | `500` | External PDP query timeout in milliseconds | -| `CAPISCIO_ENFORCEMENT_MODE` | `EM-OBSERVE` | One of: `EM-OBSERVE`, `EM-GUARD`, `EM-STRICT` | +| `CAPISCIO_ENFORCEMENT_MODE` | `EM-OBSERVE` | One of: `EM-OBSERVE`, `EM-GUARD`, `EM-DELEGATE`, `EM-STRICT` | | `CAPISCIO_WORKSPACE` | _(empty)_ | Workspace/tenant UUID (required for embedded PDP) | | `CAPISCIO_BUNDLE_POLL_INTERVAL` | `30s` | Embedded PDP bundle rebuild interval | | `CAPISCIO_BUNDLE_STALENESS_THRESHOLD` | `5m` | Embedded PDP bundle age before staleness warnings | From 7829743ce1a9890877b798414dbdbe206443fc0a Mon Sep 17 00:00:00 2001 From: Beon de Nood Date: Sat, 21 Mar 2026 08:40:59 -0400 Subject: [PATCH 2/3] =?UTF-8?q?fix:=20address=20review=20=E2=80=94=20rewor?= =?UTF-8?q?d=20EM-DELEGATE,=20add=20to=20staleness=20table?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Clarify EM-DELEGATE: DENY always blocks, ALLOW obligations are best-effort - Add EM-DELEGATE row to Bundle Staleness behavior table --- docs/how-to/security/policy-enforcement.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/how-to/security/policy-enforcement.md b/docs/how-to/security/policy-enforcement.md index 7b1ba0e..bd723e9 100644 --- a/docs/how-to/security/policy-enforcement.md +++ b/docs/how-to/security/policy-enforcement.md @@ -90,6 +90,7 @@ When the embedded PDP's policy bundle hasn't been rebuilt within the staleness t |------|-----------| | `EM-OBSERVE` | Request proceeds; `staleness.bundle_stale` annotation in telemetry | | `EM-GUARD` | Request proceeds; `staleness.bundle_stale` annotation in telemetry | +| `EM-DELEGATE` | Request proceeds; `staleness.bundle_stale` annotation in telemetry | | `EM-STRICT` | Request denied with `BUNDLE_STALE` error code | Configure staleness via: @@ -166,7 +167,7 @@ For stricter obligation handling, use `EM-DELEGATE`: export CAPISCIO_ENFORCEMENT_MODE=EM-DELEGATE ``` -In EM-DELEGATE, DENY decisions block requests and obligations are attempted. Failed obligations are logged but do not block the request (best-effort obligation enforcement). +In EM-DELEGATE, DENY decisions always block requests. For ALLOW decisions, all attached obligations are executed on a best-effort basis: failures are logged but do not change the ALLOW decision or block the request. For full obligation enforcement, use `EM-STRICT`: From 0c2d1f43110f076c3a9ecaabee0c7a450332d52e Mon Sep 17 00:00:00 2001 From: Beon de Nood Date: Sat, 21 Mar 2026 08:56:18 -0400 Subject: [PATCH 3/3] fix: add EM-DELEGATE to Embedded PDP Step 3 enforcement progression --- docs/how-to/security/policy-enforcement.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/how-to/security/policy-enforcement.md b/docs/how-to/security/policy-enforcement.md index bd723e9..12c21af 100644 --- a/docs/how-to/security/policy-enforcement.md +++ b/docs/how-to/security/policy-enforcement.md @@ -78,6 +78,9 @@ export CAPISCIO_ENFORCEMENT_MODE=EM-OBSERVE # Deny unauthorized — PDP DENY blocks requests (fail-closed on PDP failure) export CAPISCIO_ENFORCEMENT_MODE=EM-GUARD +# Best-effort obligations — DENY blocks; ALLOW obligations attempted but failures don't block +export CAPISCIO_ENFORCEMENT_MODE=EM-DELEGATE + # Full enforcement — unknown obligation types also cause denial export CAPISCIO_ENFORCEMENT_MODE=EM-STRICT ```