Skip to content

Class TrustPolicy

Namespace: Cephalon.Engine.Configuration
Assembly: Cephalon.Engine.dll

Defines package-trust and capability-governance rules for a Cephalon runtime.

public sealed class TrustPolicy

objectTrustPolicy

object.Equals(object?), object.Equals(object?, object?), object.GetHashCode(), object.GetType(), object.ReferenceEquals(object?, object?), object.ToString()

is the engine's host-owned trust contract. It decides whether independently shipped packages must be explicitly trusted, how capability access is resolved, and which publishers, signer fingerprints, public keys, signing certificates, or assembly checksums are accepted.

Package-loading decisions use this policy together with package metadata from cephalon.package.json, cryptographic signature verification results, and the active package policy. Capability access decisions then flow into runtime introspection and optional HTTP request-time enforcement through the ASP.NET Core host adapters.

TrustPolicy(bool, CapabilityAccess, IReadOnlyList<string>?, IReadOnlyList<string>?, IReadOnlyList<string>?, IReadOnlyList<string>?, IReadOnlyDictionary<string, string>?, IReadOnlyDictionary<string, string>?, IReadOnlyList<string>?, IReadOnlyDictionary<string, CapabilityAccess>?, IReadOnlyDictionary<string, IReadOnlyList<string>>?)

Section titled “ TrustPolicy(bool, CapabilityAccess, IReadOnlyList<string>?, IReadOnlyList<string>?, IReadOnlyList<string>?, IReadOnlyList<string>?, IReadOnlyDictionary<string, string>?, IReadOnlyDictionary<string, string>?, IReadOnlyList<string>?, IReadOnlyDictionary<string, CapabilityAccess>?, IReadOnlyDictionary<string, IReadOnlyList<string>>?)”

Creates a trust policy.

public TrustPolicy(bool requireTrustedPackages = false, CapabilityAccess defaultCapabilityAccess = CapabilityAccess.Allowed, IReadOnlyList<string>? trustedPackages = null, IReadOnlyList<string>? trustedAssemblies = null, IReadOnlyList<string>? trustedPublishers = null, IReadOnlyList<string>? trustedSignerFingerprints = null, IReadOnlyDictionary<string, string>? trustedSignaturePublicKeys = null, IReadOnlyDictionary<string, string>? trustedSignatureCertificates = null, IReadOnlyList<string>? trustedSignatureCertificateAuthorities = null, IReadOnlyDictionary<string, CapabilityAccess>? capabilities = null, IReadOnlyDictionary<string, IReadOnlyList<string>>? allowedPackageChecksums = null)

requireTrustedPackages bool

true to require independently loaded packages to match at least one trust rule; otherwise package loads may proceed without an explicit trust match.

defaultCapabilityAccess CapabilityAccess

The default access applied when a capability key does not appear in capabilities.

trustedPackages IReadOnlyList<string>?

Package identifiers that should be treated as trusted when package-level allow-listing is in use.

trustedAssemblies IReadOnlyList<string>?

Assembly names that should be treated as trusted when assembly-level allow-listing is in use.

trustedPublishers IReadOnlyList<string>?

Stable publisher identifiers that should be treated as trusted for independently shipped packages.

trustedSignerFingerprints IReadOnlyList<string>?

Signer fingerprints that should be treated as trusted for detached-signature provenance checks.

trustedSignaturePublicKeys IReadOnlyDictionary<string, string>?

Public keys keyed by signing identity or signer fingerprint, used for cryptographic signature verification.

trustedSignatureCertificates IReadOnlyDictionary<string, string>?

Signing certificates keyed by signing identity or signer fingerprint, used for certificate-backed cryptographic signature verification.

trustedSignatureCertificateAuthorities IReadOnlyList<string>?

Root or intermediate certificate authorities used to validate configured signing certificates when certificate-chain verification is enabled.

capabilities IReadOnlyDictionary<string, CapabilityAccess>?

Explicit per-capability access overrides keyed by capability key.

allowedPackageChecksums IReadOnlyDictionary<string, IReadOnlyList<string>>?

Explicit package checksum allow-lists keyed by package identifier.

Gets the package checksum allow-lists keyed by package identifier.

public IReadOnlyDictionary<string, IReadOnlyList<string>> AllowedPackageChecksums { get; }

IReadOnlyDictionary<string, IReadOnlyList<string>>

Gets the explicit per-capability access rules.

public IReadOnlyDictionary<string, CapabilityAccess> Capabilities { get; }

IReadOnlyDictionary<string, CapabilityAccess>

Gets the default trust policy.

public static TrustPolicy Default { get; }

TrustPolicy

Gets the default access applied to capability keys without an explicit override.

public CapabilityAccess DefaultCapabilityAccess { get; }

CapabilityAccess

Gets a value indicating whether the policy differs from the default baseline.

public bool HasValues { get; }

bool

Gets a value indicating whether explicitly discovered packages must satisfy a trust rule.

public bool RequireTrustedPackages { get; }

bool

Gets the trusted assembly-name allow-list.

public IReadOnlyList<string> TrustedAssemblies { get; }

IReadOnlyList<string>

Gets the trusted package identifier allow-list.

public IReadOnlyList<string> TrustedPackages { get; }

IReadOnlyList<string>

Gets the trusted publisher identifier allow-list.

public IReadOnlyList<string> TrustedPublishers { get; }

IReadOnlyList<string>

Gets the configured certificate authorities used to validate trusted signing certificate chains.

public IReadOnlyList<string> TrustedSignatureCertificateAuthorities { get; }

IReadOnlyList<string>

Gets the configured trusted signing certificates used for certificate-backed detached-signature verification.

public IReadOnlyDictionary<string, string> TrustedSignatureCertificates { get; }

IReadOnlyDictionary<string, string>

Gets the configured trusted public keys used for detached-signature verification.

public IReadOnlyDictionary<string, string> TrustedSignaturePublicKeys { get; }

IReadOnlyDictionary<string, string>

Gets the trusted signer fingerprint allow-list.

public IReadOnlyList<string> TrustedSignerFingerprints { get; }

IReadOnlyList<string>

FromConfiguration(IConfiguration, string)

Section titled “ FromConfiguration(IConfiguration, string)”

Reads a trust policy from configuration.

public static TrustPolicy FromConfiguration(IConfiguration configuration, string sectionPath = "Engine")

configuration IConfiguration

The root configuration that contains the engine section.

sectionPath string

The configuration path that should be interpreted as the engine settings section. The default value is .

TrustPolicy

The configured trust policy, or when no values are supplied.

Merges another trust policy into the current policy.

public TrustPolicy Merge(TrustPolicy? other)

other TrustPolicy?

The policy to merge on top of the current instance.

TrustPolicy

A merged trust policy where allow-lists are unioned, keyed rules are overwritten by other, and stricter package-trust requirements remain enabled.

Resolves the effective access for a capability key.

public CapabilityAccess ResolveCapabilityAccess(string capabilityKey)

capabilityKey string

The capability key to evaluate.

CapabilityAccess

The explicit access configured for capabilityKey, or when no override exists.