Authorization

Authorization in Runtimee is the process of determining whether an actor is allowed to perform a specific action (e.g., sending USDC to a target) based on their policies and budget.

The Authorization Flow

1. Intent: The actor specifies an intent (target, amount, purpose).
2. Policy Evaluation: The policy engine evaluates all applicable policies against the intent and the actor's current state (budget, etc.).
3. Decision: Based on the policy results, an authorization decision is made:
   • approved: All policies passed, the action can proceed.
   • denied: At least one policy denied the action.
   • pending-review: At least one policy requires review (and no policies denied).

Policy Evaluation

The policy engine evaluates policies in order of priority (lower priority numbers first). Each policy returns a result:

• pass: The policy allows the action.
• deny: The policy denies the action.
• review: The policy requires manual review.

The final decision is determined by:

• If any policy returns deny, the decision is denied.
• Else, if any policy returns review, the decision is pending-review.
• Else, the decision is approved.

Example

import { PolicyEngine } from "@runtimee/core"
import { createBudgetCheckPolicy } from "@runtimee/core/policies"
import { createAllowlistPolicy } from "@runtimee/core/policies"

const engine = new PolicyEngine([
  createBudgetCheckPolicy({ /* ... */ }),
  createAllowlistPolicy({ /* ... */ })
])

const authorization = await engine.evaluate(actor, intent, budgetState)

if (authorization.decision === "approved") {
  // Proceed with the action
} else if (authorization.decision === "denied") {
  // Handle denial
} else {
  // Handle pending review (e.g., flag for manual review)
}