5 releases (breaking)
Uses new Rust 2024
| 0.5.0 | Mar 20, 2026 |
|---|---|
| 0.4.0 | Mar 13, 2026 |
| 0.3.0 | Mar 12, 2026 |
| 0.2.0 | Mar 12, 2026 |
| 0.1.0 | Mar 11, 2026 |
#3 in #thunder
Used in 2 crates
83KB
2K
SLoC
dome-policy
TOML-based policy engine for Thunder Dome with default-deny authorization and hot-reload support.
What it does
- Parses human-readable TOML policy files into typed authorization rules with glob and regex matchers for tools, identities, and argument constraints.
- Evaluates requests against rules in priority order (lowest number = highest priority), with first-match-wins semantics.
- Enforces default-deny: if no rule matches a request, it is denied.
- Supports identity matching by principal name or label (e.g.,
role:admin), and tool matching by exact name or glob pattern. - Time-window conditions — rules can be scoped to specific time ranges and days of the week (e.g., business hours only).
- Recursive argument inspection — deny_regex and allow_glob constraints descend into nested JSON objects and arrays, preventing bypass via nested payloads.
- Hot-reload —
PolicyWatchermonitors TOML files for changes and atomically swaps the engine viaArc, with file-system watcher and SIGHUP support. - Returns structured
Decisionvalues with the matching rule ID, effect, and metadata for audit logging.
Usage
[dependencies]
dome-policy = "0.4"
use dome_policy::{parse_policy, PolicyEngine, Identity};
let rules = parse_policy(toml_string)?;
let engine = PolicyEngine::new(rules)?;
let decision = engine.evaluate(&identity, "read_file", &args);
Part of Thunder Dome
This crate is part of Thunder Dome, a security gateway for the Model Context Protocol. See the main repository for full documentation.
License
Apache-2.0
Dependencies
~11–27MB
~246K SLoC