Services.Approvals.Gate (fnord v0.8.82)

View Source

Minimal in-memory approvals gate for sensitive "finalize" steps (M4).

Provides a tiny API:

Policy:

  • Reads "approvals" -> "mcp_auth_finalize" from Settings.
  • Default: "auto_approve". "require_approval" returns pending.

Usage:

  • Insert a single checkpoint before writing sensitive data (e.g., tokens).
  • Return pending + ref and instruct operators to use the CLI to approve.

Introduced: M4.

Summary

Types

ref()
status()

Functions

approve(ref)

Approve a pending reference.

child_spec(arg)

Returns a specification to start this module under a supervisor.

deny(ref, reason)

Deny a pending reference with a reason.

list()

List all current approvals tracked in memory.

require(resource, opts \\ [])

Require approval for a resource. Returns :approved immediately when policy is auto_approve; otherwise returns {:pending, ref}.

start_link(opts \\ [])
status(ref)

Get status of a reference.

Types

ref()

@type ref() :: String.t()

status()

@type status() :: :pending | :approved | {:denied, String.t()}

Functions

approve(ref)

@spec approve(ref()) :: :ok | {:error, :not_found}

Approve a pending reference.

child_spec(arg)

Returns a specification to start this module under a supervisor.

See Supervisor.

deny(ref, reason)

@spec deny(ref(), String.t()) :: :ok | {:error, :not_found}

Deny a pending reference with a reason.

list()

@spec list() :: [map()]

List all current approvals tracked in memory.

require(resource, opts \\ [])

@spec require(resource :: term(), opts :: keyword()) :: :approved | {:pending, ref()}

Require approval for a resource. Returns :approved immediately when policy is auto_approve; otherwise returns {:pending, ref}.

start_link(opts \\ [])

@spec start_link(keyword()) :: {:ok, pid()} | {:error, term()}

status(ref)

@spec status(ref()) :: status() | {:error, :not_found}

Get status of a reference.