# `Condukt.Sandbox.NetworkPolicy.Decider`
[🔗](https://github.com/tuist/condukt/blob/1.5.1/lib/condukt/sandbox/network_policy/decider.ex#L1)

Behaviour and runtime for the `:decide` rule on a
`Condukt.Sandbox.NetworkPolicy`.

A decider receives a `Condukt.Sandbox.NetworkPolicy.Context` and a
`Condukt.Sandbox.NetworkPolicy.Request` and returns `:allow` or
`{:deny, reason}`. Four shapes are accepted as the rule's value:

  * A 2-arity function: `fn ctx, req -> :allow end`
  * `{module, function}` (both atoms): `module.function(ctx, req)`
  * A module atom alone: `module.decide(ctx, req, [])`
  * `{module, opts}` (a keyword list): `module.decide(ctx, req, opts)`

Use `Condukt.Sandbox.NetworkPolicy.AgentDecider` to wrap a Condukt
agent module as a decider.

The knobs that govern invocation are scoped to the decide rule, not
the policy. Pass the `:decide` value as a keyword list with the
callable under `:call` plus any of `:timeout`, `:cache`,
`:context_messages`, `:context_metadata`. A bare callable uses the
defaults.

## Runtime semantics

Decider invocations run in a separate process bounded by the rule's
`:timeout` (default 5000ms). On timeout, an exception, or any
non-`:allow | {:deny, reason}` return value, the request is denied
with a structured reason and an entry surfaces in telemetry.

Decisions are cached per-session per-host when the rule's `:cache`
is true (default). The cache is in-process and dies with the
session.

# `decide`

```elixir
@callback decide(
  context :: Condukt.Sandbox.NetworkPolicy.Context.t(),
  request :: Condukt.Sandbox.NetworkPolicy.Request.t(),
  opts :: keyword()
) :: :allow | {:deny, term()}
```

# `decide`

Runs the policy's decide rule (if any) and applies the per-session
decision cache. Used by the K8s control bridge when the sidecar
sends a `decision_request`. Returns `{decision, updated_cache}`.

# `invoke`

Invokes a decider once, in an isolated process bounded by `timeout`
milliseconds. Used directly by `Condukt.Sandbox.NetworkPolicy`'s
rule walker when a `:decide` rule fires.

# `policy_spec`

Returns the spec for the policy's first `:decide` rule, or `nil` when
the policy declares no decide rule.

# `spec`

Normalises a `:decide` rule value into a spec map with `:call`,
`:timeout`, `:cache`, `:context_messages`, and `:context_metadata`.

A keyword list is the configured form and must carry the callable
under `:call`. Anything else (function, module, `{module, function}`,
`{module, opts}`) is a bare callable that takes the defaults.

---

*Consult [api-reference.md](api-reference.md) for complete listing*