# Control Center - Cedar Policy Engine\n\nA comprehensive Cedar policy engine implementation with advanced security features, compliance checking, and anomaly detection.\n\n## Features\n\n### 🔐 Cedar Policy Engine\n\n- **Policy Evaluation**: High-performance policy evaluation with context injection\n- **Versioning**: Complete policy versioning with rollback capabilities\n- **Templates**: Configuration-driven policy templates with variable substitution\n- **Validation**: Comprehensive policy validation with syntax and semantic checking\n\n### 🛡️ Security & Authentication\n\n- **JWT Authentication**: Secure token-based authentication\n- **Multi-Factor Authentication**: MFA support for sensitive operations\n- **Role-Based Access Control**: Flexible RBAC with policy integration\n- **Session Management**: Secure session handling with timeouts\n\n### 📊 Compliance Framework\n\n- **SOC2 Type II**: Complete SOC2 compliance validation\n- **HIPAA**: Healthcare data protection compliance\n- **Audit Trail**: Comprehensive audit logging and reporting\n- **Impact Analysis**: Policy change impact assessment\n\n### 🔍 Anomaly Detection\n\n- **Statistical Analysis**: Multiple statistical methods (Z-Score, IQR, Isolation Forest)\n- **Real-time Detection**: Continuous monitoring of policy evaluations\n- **Alert Management**: Configurable alerting through multiple channels\n- **Baseline Learning**: Adaptive baseline calculation for improved accuracy\n\n### 🗄️ Storage & Persistence\n\n- **SurrealDB Integration**: High-performance graph database backend\n- **Policy Storage**: Versioned policy storage with metadata\n- **Metrics Storage**: Policy evaluation metrics and analytics\n- **Compliance Records**: Complete compliance audit trails\n\n## Quick Start\n\n### 1. Installation\n\n```\ncd src/control-center\ncargo build --release\n```\n\n### 2. Configuration\n\nCopy the example configuration:\n\n```\ncp config.toml.example config.toml\n```\n\nEdit `config.toml` for your environment:\n\n```\n[database]\nurl = "surreal://localhost:8000"  # Your SurrealDB instance\nusername = "root"\npassword = "your-password"\n\n[auth]\njwt_secret = "your-super-secret-key"\nrequire_mfa = true\n\n[compliance.soc2]\nenabled = true\n\n[anomaly]\nenabled = true\ndetection_threshold = 2.5\n```\n\n### 3. Start the Server\n\n```\n./target/release/control-center server --port 8080\n```\n\n### 4. Test Policy Evaluation\n\n```\ncurl -X POST http://localhost:8080/policies/evaluate \\n  -H "Content-Type: application/json" \\n  -d '{\n    "principal": {"id": "user123", "roles": ["Developer"]},\n    "action": {"id": "access"},\n    "resource": {"id": "sensitive-db", "classification": "confidential"},\n    "context": {"mfa_enabled": true, "location": "US"}\n  }'\n```\n\n## Policy Examples\n\n### Multi-Factor Authentication Policy\n\n```\n// Require MFA for sensitive resources\npermit(\n    principal,\n    action == Action::"access",\n    resource\n) when {\n    resource has classification &&\n    resource.classification in ["sensitive", "confidential"] &&\n    principal has mfa_enabled &&\n    principal.mfa_enabled == true\n};\n```\n\n### Production Approval Policy\n\n```\n// Require approval for production operations\npermit(\n    principal,\n    action in [Action::"deploy", Action::"modify", Action::"delete"],\n    resource\n) when {\n    resource has environment &&\n    resource.environment == "production" &&\n    principal has approval &&\n    principal.approval.approved_by in ["ProductionAdmin", "SRE"]\n};\n```\n\n### Geographic Restrictions\n\n```\n// Allow access only from approved countries\npermit(\n    principal,\n    action,\n    resource\n) when {\n    context has geo &&\n    context.geo has country &&\n    context.geo.country in ["US", "CA", "GB", "DE"]\n};\n```\n\n## CLI Commands\n\n### Policy Management\n\n```\n# Validate policies\ncontrol-center policy validate policies/\n\n# Test policy with test data\ncontrol-center policy test policies/mfa.cedar tests/data/mfa_test.json\n\n# Analyze policy impact\ncontrol-center policy impact policies/new_policy.cedar\n```\n\n### Compliance Checking\n\n```\n# Check SOC2 compliance\ncontrol-center compliance soc2\n\n# Check HIPAA compliance\ncontrol-center compliance hipaa\n\n# Generate compliance report\ncontrol-center compliance report --format html\n```\n\n## API Endpoints\n\n### Policy Evaluation\n\n- `POST /policies/evaluate` - Evaluate policy decision\n- `GET /policies` - List all policies\n- `POST /policies` - Create new policy\n- `PUT /policies/{id}` - Update policy\n- `DELETE /policies/{id}` - Delete policy\n\n### Policy Versions\n\n- `GET /policies/{id}/versions` - List policy versions\n- `GET /policies/{id}/versions/{version}` - Get specific version\n- `POST /policies/{id}/rollback/{version}` - Rollback to version\n\n### Compliance\n\n- `GET /compliance/soc2` - SOC2 compliance check\n- `GET /compliance/hipaa` - HIPAA compliance check\n- `GET /compliance/report` - Generate compliance report\n\n### Anomaly Detection\n\n- `GET /anomalies` - List detected anomalies\n- `GET /anomalies/{id}` - Get anomaly details\n- `POST /anomalies/detect` - Trigger anomaly detection\n\n## Testing\n\n### Run Unit Tests\n\n```\ncargo test\n```\n\n### Run Integration Tests\n\n```\ncargo test --test integration_tests\n```\n\n### Run Policy Tests\n\n```\ncargo test --test policy_tests\n```\n\n### Run Compliance Tests\n\n```\ncargo test --test compliance_tests\n```\n\n## Architecture\n\n### Core Components\n\n1. **Policy Engine** (`src/policies/engine.rs`)\n   - Cedar policy evaluation\n   - Context injection\n   - Caching and optimization\n\n2. **Storage Layer** (`src/storage/`)\n   - SurrealDB integration\n   - Policy versioning\n   - Metrics storage\n\n3. **Compliance Framework** (`src/compliance/`)\n   - SOC2 checker\n   - HIPAA validator\n   - Report generation\n\n4. **Anomaly Detection** (`src/anomaly/`)\n   - Statistical analysis\n   - Real-time monitoring\n   - Alert management\n\n5. **Authentication** (`src/auth.rs`)\n   - JWT token management\n   - Password hashing\n   - Session handling\n\n### Configuration-Driven Design\n\nThe system follows PAP (Project Architecture Principles) with:\n\n- **No hardcoded values**: All behavior controlled via configuration\n- **Dynamic loading**: Policies and rules loaded from configuration\n- **Template-based**: Policy generation through templates\n- **Environment-aware**: Different configs for dev/test/prod\n\n### Security Features\n\n- **Audit Logging**: All policy evaluations logged\n- **Encryption**: Data encrypted at rest and in transit\n- **Rate Limiting**: Protection against abuse\n- **Input Validation**: Comprehensive validation of all inputs\n- **Error Handling**: Secure error handling without information leakage\n\n## Production Deployment\n\n### Docker\n\n```\nFROM rust:1.75 as builder\nWORKDIR /app\nCOPY . .\nRUN cargo build --release\n\nFROM debian:bookworm-slim\nRUN apt-get update && apt-get install -y ca-certificates\nCOPY --from=builder /app/target/release/control-center /usr/local/bin/\nEXPOSE 8080\nCMD ["control-center", "server"]\n```\n\n### Kubernetes\n\n```\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n  name: control-center\nspec:\n  replicas: 3\n  selector:\n    matchLabels:\n      app: control-center\n  template:\n    metadata:\n      labels:\n        app: control-center\n    spec:\n      containers:\n      - name: control-center\n        image: control-center:latest\n        ports:\n        - containerPort: 8080\n        env:\n        - name: DATABASE_URL\n          value: "surreal://surrealdb:8000"\n```\n\n### Environment Variables\n\n```\n# Override config values with environment variables\nexport CONTROL_CENTER_SERVER_PORT=8080\nexport CONTROL_CENTER_DATABASE_URL="surreal://prod-db:8000"\nexport CONTROL_CENTER_AUTH_JWT_SECRET="production-secret"\nexport CONTROL_CENTER_COMPLIANCE_SOC2_ENABLED=true\n```\n\n## Monitoring & Observability\n\n### Metrics\n\n- Policy evaluation latency\n- Policy decision distribution\n- Anomaly detection rates\n- Compliance scores\n\n### Logging\n\n```\n// Structured logging with tracing\ntracing::info!(\n    policy_id = %policy.id,\n    principal = %context.principal.id,\n    decision = ?result.decision,\n    duration_ms = evaluation_time,\n    "Policy evaluation completed"\n);\n```\n\n### Health Checks\n\n```\ncurl http://localhost:8080/health\n```\n\n## Contributing\n\n1. Follow the PAP principles documented in the codebase\n2. Add tests for new features\n3. Update documentation\n4. Ensure compliance checks pass\n5. Add appropriate logging and monitoring\n\n## License\n\nThis project follows the licensing specified in the parent repository.\n\n## Support\n\nFor questions and support, refer to the project documentation or create an issue in the repository.