Skip to content

feat(cedar): real Cedar policy engine binding#30

Merged
imran-siddique merged 1 commit into
mainfrom
feat/cedar-policy
Jul 1, 2026
Merged

feat(cedar): real Cedar policy engine binding#30
imran-siddique merged 1 commit into
mainfrom
feat/cedar-policy

Conversation

@imran-siddique

Copy link
Copy Markdown
Contributor

What

Wires a real Cedar policy engine as an option for the local policy (approved: adds the cedarpy dependency, the same engine cMCP runs).

  • ca2a_runtime.cedar.CedarPolicy: evaluates each capability as a Cedar authorization request (action id = capability name); permitted iff Cedar returns Allow.
  • ca2a_runtime.policy.Policy protocol: LocalPolicy (allow set) and CedarPolicy are now interchangeable in the peer path (effective_scope, enforce_peer_call, handle_peer_request accept either).

Suite: 152 passed, 97% coverage.

Closes #10

🤖 Generated with Claude Code

Add ca2a_runtime.cedar.CedarPolicy, backed by cedarpy (the engine cMCP runs):
each capability is evaluated as a Cedar authorization request whose action id is
the capability name; a capability is permitted iff Cedar returns Allow. A new
ca2a_runtime.policy.Policy protocol makes LocalPolicy (allow set) and CedarPolicy
interchangeable in the peer path, so effective_scope / enforce_peer_call /
handle_peer_request accept either. Adds the cedarpy dependency. Suite: 152 passed.

Closes #10

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@imran-siddique imran-siddique merged commit 95ec135 into main Jul 1, 2026
11 checks passed
@imran-siddique imran-siddique deleted the feat/cedar-policy branch July 1, 2026 20:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(policy): intersect delegated scope with local Cedar policy

1 participant