Cedar Authorization Core
Thepalyra-policy crate serves as the central evaluation engine. It translates system requests into Cedar entities and evaluates them against an embedded baseline policy set crates/palyra-policy/src/lib.rs#160-161.
Policy Request and Context
Authorization is triggered via aPolicyRequest, which defines the triple of principal, action, and resource crates/palyra-policy/src/lib.rs#19-26. This is augmented by a PolicyRequestContext containing environmental metadata:
| Field | Description |
|---|---|
device_id | The originating hardware identifier crates/palyra-policy/src/lib.rs#36-36. |
channel | The communication platform (e.g., Discord, Slack) crates/palyra-policy/src/lib.rs#37-38. |
session_id | Correlation ID for the current conversation crates/palyra-policy/src/lib.rs#39-40. |
capabilities | Specific permissions requested by a tool (e.g., net.egress) crates/palyra-policy/src/lib.rs#47-49. |
Authorization Data Flow
The following diagram illustrates how a tool proposal is transformed from a code entity into a Cedar decision. Diagram: Tool Proposal to Cedar Evaluation Sources: crates/palyra-daemon/src/application/tool_security.rs#57-64, crates/palyra-policy/src/lib.rs#12-26, crates/palyra-daemon/src/application/tool_security.rs#107-116Tool Posture and Execution Gates
Tool execution is governed by a multi-stage pipeline. Before a tool runs, it must pass through theevaluate_tool_proposal_security function crates/palyra-daemon/src/application/tool_security.rs#107-116.
Posture States
Palyra defines three primary postures for tools:- AlwaysAllow: Tool executes immediately if Cedar permits.
- AskEachTime: Tool requires an explicit operator approval via the Approval Gate crates/palyra-daemon/src/application/approvals/mod.rs#1-7.
- Disabled: Tool is blocked regardless of Cedar policies.
Sensitive Actions
Certain actions are hardcoded as sensitive and always require elevated permissions or approvals:cron.delete: Deleting scheduled routines crates/palyra-policy/src/lib.rs#76-76.memory.purge: Clearing agent memory crates/palyra-policy/src/lib.rs#76-76.- Skill Execution: Running Wasm-based plugins via
palyra.plugin.runcrates/palyra-daemon/src/application/tool_security.rs#89-95.
Approval Gate System
The Approval Gate handles “human-in-the-loop” security. When a tool call is permitted by Cedar but marked asapproval_required, the daemon halts execution and creates a PendingToolApproval crates/palyra-daemon/src/application/approvals/mod.rs#40-45.
Approval Workflow
- Context Assembly: The system builds a
PendingToolApprovalcontaining a summary of the request, risk levels, and execution context (e.g., which backend will run the command) crates/palyra-daemon/src/application/approvals/mod.rs#143-164. - Journaling: The request is appended to the
JournalStoreas anApprovalPromptRecordcrates/palyra-daemon/src/application/approvals/mod.rs#26-27. - Operator Decision: The operator grants or denies the request via the Web Console or CLI.
- Decision Application:
apply_tool_approval_outcomemerges the operator’s decision into the finalToolDecision. If the approval channel is unavailable, the system fails closed and denies the request crates/palyra-daemon/src/application/approvals/mod.rs#65-81.
Service Authorization and API Tokens
Access to the daemon’s external API (including the OpenAI-compatible compat facade) is managed by theAccessRegistry crates/palyra-daemon/src/access_control.rs#1-8.
Feature Flags and RBAC
The system uses feature flags to gate entire subsystems:compat_api: Gates the OpenAI-compatible HTTP handlers crates/palyra-daemon/src/access_control.rs#34-34.api_tokens: Gates the issuance and use of scoped tokens crates/palyra-daemon/src/access_control.rs#40-40.rbac: Enables role-based access checks crates/palyra-daemon/src/access_control.rs#44-44.
Workspace Roles
Permissions are grouped intoWorkspaceRole levels crates/palyra-daemon/src/access_control.rs#114-118:
- Owner: Full authority, including trust and rollout management crates/palyra-daemon/src/access_control.rs#148-150.
- Admin: Membership and API token management crates/palyra-daemon/src/access_control.rs#148-149.
- Operator: Baseline session and memory usage crates/palyra-daemon/src/access_control.rs#148-148.
API Token Scopes
Tokens are minted with specific scopes (e.g.,compat.chat.create) and are subject to rate limiting crates/palyra-daemon/src/access_control.rs#53-60. Tokens only store SHA-256 digests of the secret to prevent credential leakage from the state file crates/palyra-daemon/src/access_control.rs#10-11.
Sources: crates/palyra-daemon/src/access_control.rs#1-67, crates/palyra-daemon/src/transport/http/handlers/compat.rs#162-169