Add Enforcement
Enforcement is synchronous. A rule can allow, block, ask, or rewrite a Security Event before the Network/File/Process transport continues.
Workflow
Section titled “Workflow”- Choose the enforcement point:
http.request,dns.request,mcp.request,model.request,file.activity, orprocess.exec. - Write CEL over canonical roots, such as
http.request.host.contains("google"). - Validate and backtest with
capsem-admin enforcement. - Publish the pack through a signed profile, or use
/enforcement/*for a runtime overlay. - Verify match counters, resolved events, logs, VM health, and UI state.
Never author against event.*; that is internal representation.
Runtime API
Section titled “Runtime API”| Route | Purpose |
|---|---|
POST /enforcement/validate | Compile-check a candidate rule. |
POST /enforcement/compile | Return the compiled plan metadata. |
POST /enforcement/backtest | Replay a rule over supplied events. |
GET /enforcement | List live profile/user/corp/runtime rules. |
POST /enforcement | Add or update a runtime overlay. |
DELETE /enforcement/{id} | Delete a runtime overlay. |
GET /enforcement/stats | Inspect match counters. |
Backtest returns counts plus up to 100 evidence-diverse rows by default.