Skip to content

[FEATURE]: default_action: deny filter knob for deny-all baseline #106

Description

@araujof

Summary

Add a default_action: deny knob to the CPEX filter config. When set, a request that matches no route (no policy for this workload) is rejected rather than passed through.

Today, routes without an APL block fall back to legacy plugin-list execution — there is no single switch that says "unmatched ⇒ reject." This knob makes the deny-all baseline explicit and auditable. It's the foundation the rest of the policy model assumes.

User Story 1

  • As an: operator running CPEX as a reference monitor
  • I want: unmatched requests rejected by default
  • So that: an agent with no policy reaches nothing, with no implicit pass-through

Acceptance Criteria

Scenario: Unmatched request is denied when knob is on
  Given default_action is set to deny
  And no route matches the incoming request
  When the filter evaluates the request
  Then it is rejected (403)

Scenario: Default behavior is unchanged when knob is unset
  Given default_action is not configured
  And no route matches the incoming request
  When the filter evaluates the request
  Then existing fall-through behavior applies

Additional Context

Scoped in the Praxis epic #678 alignment work (deny-all default enforcement, praxis sub-issue #679). Effort: config + one branch in the filter's dispatch.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions