Skip to content

Generic HTTP-primitive policy rules for Gate#455

Merged
bmbouter merged 1 commit intomainfrom
generic-policy-rules
Apr 23, 2026
Merged

Generic HTTP-primitive policy rules for Gate#455
bmbouter merged 1 commit intomainfrom
generic-policy-rules

Conversation

@bmbouter
Copy link
Copy Markdown
Owner

@bmbouter bmbouter commented Apr 23, 2026

Summary

  • Replaces bespoke per-service operation-name scope checking with generic HTTP method+host+path glob rules
  • Named rule sets defined in .alcove/policy-rules/*.yml, synced to DB, referenced by security profiles
  • Security profiles gain rules: key for named rule references and inline HTTP rules
  • Ships with 73 named rule sets covering all GitHub/GitLab/Jira/Splunk operations from scope.go
  • Full backward compatibility: existing tools: profiles still work unchanged

Architecture

.alcove/policy-rules/github.yml  →  sync to DB  →  profile resolves refs
     ↓                                                    ↓
named rule sets                              flat []PolicyRule
     ↓                                                    ↓
security profile rules:                      GATE_POLICY_RULES env var
  - github-read-issues                              ↓
  - github-create-comment                    Gate CheckPolicyRules()

Test plan

  • go build ./... passes
  • go test ./... — all packages pass (including 60+ new policy tests)
  • DB migrations apply cleanly (policy_rule_sets table + security_profiles.rules column)
  • Bridge starts with new migrations
  • CI passes

🤖 Generated with Claude Code

@bmbouter @claude
Generic HTTP-primitive policy rules for Gate
1718e4c 
Replace bespoke per-service operation-name scope checking with a
general-purpose HTTP rule matcher. Rules are defined as method+host+path
globs, grouped into named rule sets, and referenced by security profiles.

- New generic policy engine (internal/gate/policy.go) with path glob
  matching (* = one segment, ** = zero or more) and host wildcard
  matching (*.example.com)
- Named rule sets synced from .alcove/policy-rules/*.yml to database
- Security profiles gain a rules: key alongside existing tools: key
- Dispatcher resolves named rule refs to flat PolicyRule list, passes
  as GATE_POLICY_RULES env var to Gate
- Gate MITM handler checks PolicyRules first, falls back to old scope
- Ships with named rule sets for GitHub (28), GitLab (19), Jira (20),
  Splunk (6) covering all operations from scope.go
- Full backward compatibility: profiles with only tools: still work

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added the awaiting-review CI passed, PR ready for reviewer agent label Apr 23, 2026
@bmbouter bmbouter merged commit 303c09f into main Apr 23, 2026
4 checks passed
@bmbouter bmbouter deleted the generic-policy-rules branch April 23, 2026 22:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

awaiting-review CI passed, PR ready for reviewer agent

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bmbouter