Summary
Add a default_action: deny knob to the CPEX filter config. When set, a request that matches no route (no policy for this workload) is rejected rather than passed through.
Today, routes without an APL block fall back to legacy plugin-list execution — there is no single switch that says "unmatched ⇒ reject." This knob makes the deny-all baseline explicit and auditable. It's the foundation the rest of the policy model assumes.
User Story 1
- As an: operator running CPEX as a reference monitor
- I want: unmatched requests rejected by default
- So that: an agent with no policy reaches nothing, with no implicit pass-through
Acceptance Criteria
Scenario: Unmatched request is denied when knob is on
Given default_action is set to deny
And no route matches the incoming request
When the filter evaluates the request
Then it is rejected (403)
Scenario: Default behavior is unchanged when knob is unset
Given default_action is not configured
And no route matches the incoming request
When the filter evaluates the request
Then existing fall-through behavior applies
Additional Context
Scoped in the Praxis epic #678 alignment work (deny-all default enforcement, praxis sub-issue #679). Effort: config + one branch in the filter's dispatch.
Summary
Add a
default_action: denyknob to the CPEX filter config. When set, a request that matches no route (no policy for this workload) is rejected rather than passed through.Today, routes without an APL block fall back to legacy plugin-list execution — there is no single switch that says "unmatched ⇒ reject." This knob makes the deny-all baseline explicit and auditable. It's the foundation the rest of the policy model assumes.
User Story 1
Acceptance Criteria
Additional Context
Scoped in the Praxis epic #678 alignment work (deny-all default enforcement, praxis sub-issue #679). Effort: config + one branch in the filter's dispatch.