Epic: CPEX Rust Core (#12)
Summary
Wire apl-core (APL policy evaluator) and cedarling (identity resolution + Cedar PDP) as built-in plugins in the Rust core. These become native Rust HookHandler implementations running at full speed inside the CPEX executor.
Motivation
APL and cedarling are already implemented in Rust with PyO3 bindings. Running them as native CPEX plugins in the Rust core eliminates the Python→Rust→Python round-trip that currently happens when the Python PluginManager calls into the Rust APL evaluator. Identity resolution, policy evaluation, and token delegation all run in-process at native speed.
Scope
APL Plugin
- Implements
HookHandler<CmfHook> — registers for cmf.tool_pre_invoke, cmf.tool_post_invoke
- Builds
AttributeBag from CMF extensions (subject, delegation, session, meta, args/result)
- Evaluates compiled APL policy — pre-invoke rules, result transforms, post-invoke rules
- Returns
PluginResult with modified payload (redacted/masked fields) and modified extensions (taint labels)
- Loads policy from YAML path in plugin config
Cedarling Identity Plugin
- Implements
HookHandler<IdentityResolve> — registers for identity_resolve
- Multi-issuer JWT validation via cedarling's token validation
- Decodes JWT into
SubjectExtension (roles, permissions, teams, claims)
- Returns resolved identity as extension modification
Token Delegation Plugin
- Implements
HookHandler<TokenDelegate> — registers for token_delegate
- RFC 8693 token exchange with scope narrowing
- Delegation chain construction via
DelegationExtension.with_new_hop()
- Audience mapping from plugin config
Acceptance Criteria
- APL policy YAML from the HR demo evaluates correctly as a native Rust plugin
- Identity resolution from JWT produces the same
SubjectExtension as the Python version
- Token delegation produces scoped tokens with monotonic scope narrowing
- End-to-end: identity → policy → delegation → tool call → result transforms → taint — all in Rust
- Performance: sub-millisecond for APL evaluation, comparable to direct
apl-core calls
Dependencies
Epic: CPEX Rust Core (#12)
Summary
Wire
apl-core(APL policy evaluator) and cedarling (identity resolution + Cedar PDP) as built-in plugins in the Rust core. These become native RustHookHandlerimplementations running at full speed inside the CPEX executor.Motivation
APL and cedarling are already implemented in Rust with PyO3 bindings. Running them as native CPEX plugins in the Rust core eliminates the Python→Rust→Python round-trip that currently happens when the Python PluginManager calls into the Rust APL evaluator. Identity resolution, policy evaluation, and token delegation all run in-process at native speed.
Scope
APL Plugin
HookHandler<CmfHook>— registers forcmf.tool_pre_invoke,cmf.tool_post_invokeAttributeBagfrom CMF extensions (subject, delegation, session, meta, args/result)PluginResultwith modified payload (redacted/masked fields) and modified extensions (taint labels)Cedarling Identity Plugin
HookHandler<IdentityResolve>— registers foridentity_resolveSubjectExtension(roles, permissions, teams, claims)Token Delegation Plugin
HookHandler<TokenDelegate>— registers fortoken_delegateDelegationExtension.with_new_hop()Acceptance Criteria
SubjectExtensionas the Python versionapl-corecallsDependencies
apl-corecrate (existing)