audit, advisories and doctors/setup work

2026-01-13 18:53:39 +02:00
parent 9ca7cb183e
commit d7be6ba34b
811 changed files with 54242 additions and 4056 deletions
--- a/docs/modules/policy/guides/assistant-tool-lattice.md
+++ b/docs/modules/policy/guides/assistant-tool-lattice.md
@@ -0,0 +1,29 @@
+# Assistant Tool Lattice Policy Mapping
+
+This guide defines the tool lattice rule schema and default scope mapping for assistant tool calls.
+The lattice is evaluated by Policy Gateway and returns allow or deny decisions for each tool request.
+
+## Default deny behavior
+- If no rule matches a tool request, the decision is deny.
+- A rule must match tool name, action, and any configured tenant, role, scope, or resource filters to allow access.
+
+## Rule fields
+- tool: Tool name or wildcard pattern (for example, "vex.query" or "scanner.*").
+- action: Read or action discriminator (for example, "read" or "action").
+- scopes: Required Authority scopes (one or more).
+- roles: Optional role filters (one or more).
+- tenants: Optional tenant filters (one or more).
+- resource: Optional resource pattern (for example, "sbom:component:*").
+- effect: allow or deny.
+- priority: Integer priority; higher values evaluate first.
+
+## Default scope mapping
+| Tool | Action | Required scopes |
+| --- | --- | --- |
+| vex.query | read | vex:read |
+| sbom.read | read | sbom:read |
+| scanner.findings.topk | read | scanner:read or findings:read |
+
+## Override guidance
+- Use priority to override default rules.
+- Keep rules deterministic by using stable patterns and avoiding ambiguous overlaps.