Formal policy semantics, a hardened runtime, and audit-ready bundles—specified, built, and checked in the open.
This repository ties together machine-checked specifications (Lean 4), a Rust policy engine with a Wasmtime evaluation path, Python tooling for compliance bundles and linting, and optional Go, Node, and Python bindings. Continuous integration runs formatters, tests, and supply-chain gates so the default branch stays reproducible and reviewable.
| Resource | Description |
|---|---|
| docs/README.md | Index of all documentation |
| Architecture | Data flow, components, CI mapping |
| Contributing | Setup, style, and PR expectations |
| Security | Reporting vulnerabilities, SBOM, tooling |
| Traceability | Lean modules ↔ Rust and automation |
| Layer | Role |
|---|---|
| Specifications | RBAC/ABAC, tenant isolation, and attestation models live under Spec/, checked with Lake. |
| Runtime | The policyengine crate loads policies, evaluates them (including WASM), and supports attestation workflows. |
| Tooling | Scripts and packages under bundle/ and scripts/ produce and validate compliance-oriented artifacts. |
| Bindings | Thin shims in bindings/ integrate with host languages; CI smoke-checks where cross-compilation applies. |
These are the outcomes the codebase is organized around. All are active development areas—not a maturity matrix.
| ID | Theme | Where to look |
|---|---|---|
| SE-1 | RBAC / ABAC semantics | Spec/RBAC/, engine/ |
| SE-2 | Multi-tenant isolation | Spec/Tenant/, FSM and isolation modules |
| SE-3 | Attestation flows | Spec/Attest/, engine attestation helpers, attest-verify |
| SE-4 | WASM policy evaluation | Wasmtime path; WASM smoke job in CI |
| SE-5 | Compliance bundles | bundle/gen.py, bundle/validate_manifest.py |
For a full component list and CI gate mapping, see docs/ARCHITECTURE.md.
flowchart TB
subgraph spec["Formal layer — Lean"]
RBAC["RBAC / ABAC"]
TEN["Tenant FSM and isolation"]
ATT["Attestation model"]
end
subgraph rt["Runtime — Rust"]
PE["policyengine"]
WASM["Wasmtime"]
end
subgraph tools["Tooling"]
GEN["bundle/gen.py"]
VAL["validate_manifest.py"]
LINT["policy_lint.py"]
end
subgraph bind["Bindings"]
B["Go · Node · Python"]
end
RBAC --> PE
TEN --> PE
ATT --> PE
PE --> WASM
PE --> GEN
GEN --> VAL
PE --> bind
LINT -.-> PE
| Path | Contents |
|---|---|
Spec/ |
Lean sources (lake build; smoke: lake exe test_rbac, test_tenant, test_attest) |
engine/ |
policyengine — library plus policyengine-server, rbac-gen, attest-verify |
bundle/ |
Compliance bundle Python package |
bindings/ |
go, node (Neon), python (PyO3) |
examples/ |
Sample policy.yaml files |
scripts/ |
e.g. policy_lint.py — see scripts/README.md |
tests/ |
Python tests |
docs/ |
Architecture and doc index |
.github/workflows/ |
Rust, Lean, Python, security, SBOM, bindings, CodeQL |
Pinned toolchains: lean-toolchain, rust-toolchain.toml.
| Tool | Purpose |
|---|---|
| elan | Installs the pinned Lean toolchain from lean-toolchain |
| rustup | Installs the Rust toolchain from rust-toolchain.toml (1.88) |
| Python 3.12+ | Editable install: pip install -e ".[dev]" via pyproject.toml |
| Docker | Optional — Dockerfile, Dockerfile.sgx, Dockerfile.sev, docker-compose.jepsen.yml |
git clone https://github.com/your-username/security-envelopes.git
cd security-envelopes
# Lean (one-time)
curl https://raw.githubusercontent.com/leanprover/elan/master/elan-init.sh -sSf | sh
# Rust (one-time)
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
pip install -e ".[dev]"
lake build
cargo build --releaseRun the same categories of checks CI exercises:
# Lean smoke executables (see lakefile.lean)
lake exe test_rbac && lake exe test_tenant && lake exe test_attest
# Rust
cargo fmt --check
cargo clippy --workspace --all-targets -- -D warnings
cargo test --workspace
# Python
ruff check bundle scripts tests
pytest tests/ -v
# Optional locally; required in CI for Rust changes affecting deps
cargo deny check
cargo auditExample policies — examples/ (e.g. examples/01_simple_rbac/policy.yaml):
python scripts/policy_lint.py examples/*/policy.yamlCLI entry points (from repo root):
cargo run -p policyengine --bin rbac-gen -- --help
cargo run -p policyengine --bin attest-verify -- --help
python bundle/gen.py --helpThere is no bundled examples/go/main.go; wire your own tests against the crates and bindings you need.
| Workflow | What it covers |
|---|---|
ci-rust.yml |
fmt, clippy, deny, audit, tests, release binaries, WASM smoke |
ci-lean.yml |
lake build, Lean executables |
ci-python.yml |
ruff, mypy (selected modules), pytest |
policy-lint.yml |
YAML policies under examples/ |
ci-security.yml |
Scheduled audit + deny |
ci-sbom.yml |
SBOM artifact on main (CycloneDX via Anchore action) |
codeql.yml |
CodeQL for Rust |
ci-bindings-*.yml |
Go / Node / Python binding smoke checks |
formal-verify.yml |
Optional external formal verification hook |
Contributing guidelines, pre-commit, and review expectations: CONTRIBUTING.md.
Vulnerability reporting and supply-chain notes: SECURITY.md.
Treat latency and scale figures as deployment-specific until you measure them in your environment and record results in benchmarks or release notes.
MIT.
Lean, the Rust project, Wasmtime, mathlib, and everyone building open, verifiable systems.