07 — Policy Engine

Deep dive on the governable pillar (flagship §3). Three layers: Cedar for permission decisions, a ReBAC graph for sharing relationships, and governance policies for data rules — all policy-as-code, with simulation to prove properties.


1. Why a real policy engine (not ad-hoc ACLs)

Commodity file apps bolt permissions onto rows and hope. That can’t express “external users may view but not download files tagged confidential, except the legal team, unless under legal hold.” BitVault makes authorization and governance first-class, versioned, testable code — the difference between a toy and an enterprise platform.


2. Evaluation architecture

flowchart TB
    classDef e fill:#fde68a,stroke:#b45309,color:#111827;
    classDef d fill:#bbf7d0,stroke:#15803d,color:#111827;
    classDef c fill:#c7d2fe,stroke:#3730a3,color:#111827;
    req["request (gateway / S3 API / data plane)"]:::e --> pdp["PDP: Policy Decision Point"]:::e
    pdp --> cedar["Cedar (permissions, PARC, deny-by-default)"]:::e
    pdp --> rebac["ReBAC graph (sharing relationships)"]:::e
    pdp --> gov["governance policies (retention/residency/DLP/sharing)"]:::e
    attrs["context: tenant, tags, classification, residency, hold"]:::c --> pdp
    pdp --> dec{"permit / forbid (+ obligations)"}:::d
    cache["Redis decision cache (short TTL, ADR-0010)"]:::c <--> pdp
    git["policies-as-code in Git → deployed (GitOps)"]:::c --> pdp

3. Sub-features

POL-1 — Cedar authorization

Why Complexity Dependencies Resume
verified, fast, readable authz vs brittle ACLs M (integrate) identity (ADR-0010) High — verified policy engine

POL-2 — ReBAC sharing graph

Why Complexity Dependencies Resume
real sharing semantics + inheritance L (graph + consistency) identity, sharing context Very high — Zanzibar-class systems

POL-3 — Governance policies as code

Why Complexity Dependencies Resume
governance/compliance differentiator M Cedar (POL-1), placement, DLP Medium-high

POL-4 — Policy simulation & formal analysis

Why Complexity Dependencies Resume
provable governance; change-safety L Cedar analysis tools Very high — formal methods in production

4. Tradeoffs / Alternatives

Scaling: decision caching + ReBAC graph sharding by tenant; policy bundles distributed via GitOps; simulation runs offline (CI gate on policy PRs).