Policy Deny in Strict Mode

Codename note: Capability docs use public terminology; “Edge” remains internal codename.

What you’re proving

  • Policy deny decisions are not overridable in interceptor logic.

  • Evaluator errors fail closed (deny), not fail open.

  • Deny behavior is test-backed and repeatable.

Prereqs

  • Repo root: <repo-root>

  • Go toolchain available

Steps

  1. Run deny/fail-closed interceptor tests.

GOCACHE=/tmp/go-build go test ./runtime \
  -run 'TestInterceptorDenyCannotBeOverridden|TestInterceptorFailClosed' -v

  1. Compare with captured output.

sed -n '1,120p' docs/_generated/test-outputs/policy-deny-output.txt

Expected outputs (from real run)

=== RUN   TestInterceptorDenyCannotBeOverridden
--- PASS: TestInterceptorDenyCannotBeOverridden
=== RUN   TestInterceptorFailClosed
--- PASS: TestInterceptorFailClosed
PASS

Verification

  • Test exit code is 0.

  • Both deny/fail-closed tests are present and passing.

  • Output matches docs/_generated/test-outputs/policy-deny-output.txt.

Failure modes

  • Go cache permission errors: set GOCACHE=/tmp/go-build.

  • Wrong Go version: run with the explicit pinned toolchain path above.

Non-goals

  • This does not prove remote control-plane authority (none exists).

  • This does not validate orchestration or fleet convergence behavior.

Evidence

  • runtime/interceptor.go

  • runtime/interceptor_test.go (TestInterceptorDenyCannotBeOverridden, TestInterceptorFailClosed)

  • docs/_generated/test-outputs/policy-deny-output.txt