No hardcoded security rules. Policies define auth requirements, PoP mode, rate limits, and IP allowlists — all declaratively, all auditable.
Every security rule in Enravo Core is defined as a policy — not buried in middleware or scattered across controllers. Auth requirement, PoP mode, rate limits, and IP allowlists are all resolved from a single policy definition at request time.
1return [2 'ability' => 'order.create',3 'auth' => 'jwt',4 'pop' => 'required',5 'rate_limit' => [6 'max_attempts' => 30,7 'window' => 60, // seconds8 'priority' => 'app_id', // app_id > user_id > device_id > ip9 ],10 'ip_allowlist' => [11 '10.0.0.0/8',12 '192.168.1.0/24',13 ],14];Rate limits are not global defaults — they are declared per ability inside the policy definition. The engine resolves the limiter key using a strict priority chain: app_id takes precedence over user_id, which takes precedence over device_id, which falls back to IP. Window-based counting ensures fair usage without penalizing legitimate bursts.
Every security decision flows through the policy engine. No exceptions, no bypasses.
Security rules live in policy files, not in application code. Change behavior by updating a definition — no deployments, no regressions.
CIDR-based allowlists enforced at the policy layer. Requests from unauthorized networks are rejected before reaching the controller.
Per-ability rate limiting with priority-based key resolution. Configurable windows and thresholds protect every endpoint independently.
Every policy evaluation is logged. Failed checks trigger alerts with full context — ability, identity, IP, and denial reason.
Every request passes through a deterministic policy pipeline. Each check must pass before the next begins.
Incoming Request
Client request reaches the guard pipeline
Policy Lookup
Resolve the policy definition for the requested ability
Auth Check
Validate JWT or allow unauthenticated based on policy
PoP Verification
Verify Proof-of-Possession signature if required by policy
Rate Limit
Check window-based counters against policy thresholds
IP Check
Validate client IP against CIDR allowlist
Allow / Deny
All checks passed — request proceeds to the controller
Incoming Request
Client request reaches the guard pipeline
Policy Lookup
Resolve the policy definition for the requested ability
Auth Check
Validate JWT or allow unauthenticated based on policy
PoP Verification
Verify Proof-of-Possession signature if required by policy
Rate Limit
Check window-based counters against policy thresholds
IP Check
Validate client IP against CIDR allowlist
Allow / Deny
All checks passed — request proceeds to the controller