Control Center - Cedar Policy Engine\n\nA comprehensive Cedar policy engine implementation with advanced security features, compliance checking, and anomaly detection.\n\n## Features\n\n### 🔐 Cedar Policy Engine\n\n- Policy Evaluation: High-performance policy evaluation with context injection\n- Versioning: Complete policy versioning with rollback capabilities\n- Templates: Configuration-driven policy templates with variable substitution\n- Validation: Comprehensive policy validation with syntax and semantic checking\n\n### 🛡️ Security & Authentication\n\n- JWT Authentication: Secure token-based authentication\n- Multi-Factor Authentication: MFA support for sensitive operations\n- Role-Based Access Control: Flexible RBAC with policy integration\n- Session Management: Secure session handling with timeouts\n\n### 📊 Compliance Framework\n\n- SOC2 Type II: Complete SOC2 compliance validation\n- HIPAA: Healthcare data protection compliance\n- Audit Trail: Comprehensive audit logging and reporting\n- Impact Analysis: Policy change impact assessment\n\n### 🔍 Anomaly Detection\n\n- Statistical Analysis: Multiple statistical methods (Z-Score, IQR, Isolation Forest)\n- Real-time Detection: Continuous monitoring of policy evaluations\n- Alert Management: Configurable alerting through multiple channels\n- Baseline Learning: Adaptive baseline calculation for improved accuracy\n\n### 🗄️ Storage & Persistence\n\n- SurrealDB Integration: High-performance graph database backend\n- Policy Storage: Versioned policy storage with metadata\n- Metrics Storage: Policy evaluation metrics and analytics\n- Compliance Records: Complete compliance audit trails\n\n## Quick Start\n\n### 1. Installation\n\n\ncd src/control-center\ncargo build --release\n\n\n### 2. Configuration\n\nCopy the example configuration:\n\n\ncp config.toml.example config.toml\n\n\nEdit config.toml for your environment:\n\n\n[database]\nurl = "surreal://localhost:8000" # Your SurrealDB instance\nusername = "root"\npassword = "your-password"\n\n[auth]\njwt_secret = "your-super-secret-key"\nrequire_mfa = true\n\n[compliance.soc2]\nenabled = true\n\n[anomaly]\nenabled = true\ndetection_threshold = 2.5\n\n\n### 3. Start the Server\n\n\n./target/release/control-center server --port 8080\n\n\n### 4. Test Policy Evaluation\n\n\ncurl -X POST http://localhost:8080/policies/evaluate \\n -H "Content-Type: application/json" \\n -d '{\n "principal": {"id": "user123", "roles": ["Developer"]},\n "action": {"id": "access"},\n "resource": {"id": "sensitive-db", "classification": "confidential"},\n "context": {"mfa_enabled": true, "location": "US"}\n }'\n\n\n## Policy Examples\n\n### Multi-Factor Authentication Policy\n\n\n// Require MFA for sensitive resources\npermit(\n principal,\n action == Action::"access",\n resource\n) when {\n resource has classification &&\n resource.classification in ["sensitive", "confidential"] &&\n principal has mfa_enabled &&\n principal.mfa_enabled == true\n};\n\n\n### Production Approval Policy\n\n\n// Require approval for production operations\npermit(\n principal,\n action in [Action::"deploy", Action::"modify", Action::"delete"],\n resource\n) when {\n resource has environment &&\n resource.environment == "production" &&\n principal has approval &&\n principal.approval.approved_by in ["ProductionAdmin", "SRE"]\n};\n\n\n### Geographic Restrictions\n\n\n// Allow access only from approved countries\npermit(\n principal,\n action,\n resource\n) when {\n context has geo &&\n context.geo has country &&\n context.geo.country in ["US", "CA", "GB", "DE"]\n};\n\n\n## CLI Commands\n\n### Policy Management\n\n\n# Validate policies\ncontrol-center policy validate policies/\n\n# Test policy with test data\ncontrol-center policy test policies/mfa.cedar tests/data/mfa_test.json\n\n# Analyze policy impact\ncontrol-center policy impact policies/new_policy.cedar\n\n\n### Compliance Checking\n\n\n# Check SOC2 compliance\ncontrol-center compliance soc2\n\n# Check HIPAA compliance\ncontrol-center compliance hipaa\n\n# Generate compliance report\ncontrol-center compliance report --format html\n\n\n## API Endpoints\n\n### Policy Evaluation\n\n- POST /policies/evaluate - Evaluate policy decision\n- GET /policies - List all policies\n- POST /policies - Create new policy\n- PUT /policies/{id} - Update policy\n- DELETE /policies/{id} - Delete policy\n\n### Policy Versions\n\n- GET /policies/{id}/versions - List policy versions\n- GET /policies/{id}/versions/{version} - Get specific version\n- POST /policies/{id}/rollback/{version} - Rollback to version\n\n### Compliance\n\n- GET /compliance/soc2 - SOC2 compliance check\n- GET /compliance/hipaa - HIPAA compliance check\n- GET /compliance/report - Generate compliance report\n\n### Anomaly Detection\n\n- GET /anomalies - List detected anomalies\n- GET /anomalies/{id} - Get anomaly details\n- POST /anomalies/detect - Trigger anomaly detection\n\n## Testing\n\n### Run Unit Tests\n\n\ncargo test\n\n\n### Run Integration Tests\n\n\ncargo test --test integration_tests\n\n\n### Run Policy Tests\n\n\ncargo test --test policy_tests\n\n\n### Run Compliance Tests\n\n\ncargo test --test compliance_tests\n\n\n## Architecture\n\n### Core Components\n\n1. Policy Engine (src/policies/engine.rs)\n - Cedar policy evaluation\n - Context injection\n - Caching and optimization\n\n2. Storage Layer (src/storage/)\n - SurrealDB integration\n - Policy versioning\n - Metrics storage\n\n3. Compliance Framework (src/compliance/)\n - SOC2 checker\n - HIPAA validator\n - Report generation\n\n4. Anomaly Detection (src/anomaly/)\n - Statistical analysis\n - Real-time monitoring\n - Alert management\n\n5. Authentication (src/auth.rs)\n - JWT token management\n - Password hashing\n - Session handling\n\n### Configuration-Driven Design\n\nThe system follows PAP (Project Architecture Principles) with:\n\n- No hardcoded values: All behavior controlled via configuration\n- Dynamic loading: Policies and rules loaded from configuration\n- Template-based: Policy generation through templates\n- Environment-aware: Different configs for dev/test/prod\n\n### Security Features\n\n- Audit Logging: All policy evaluations logged\n- Encryption: Data encrypted at rest and in transit\n- Rate Limiting: Protection against abuse\n- Input Validation: Comprehensive validation of all inputs\n- Error Handling: Secure error handling without information leakage\n\n## Production Deployment\n\n### Docker\n\n\nFROM rust:1.75 as builder\nWORKDIR /app\nCOPY . .\nRUN cargo build --release\n\nFROM debian:bookworm-slim\nRUN apt-get update && apt-get install -y ca-certificates\nCOPY --from=builder /app/target/release/control-center /usr/local/bin/\nEXPOSE 8080\nCMD ["control-center", "server"]\n\n\n### Kubernetes\n\n\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: control-center\nspec:\n replicas: 3\n selector:\n matchLabels:\n app: control-center\n template:\n metadata:\n labels:\n app: control-center\n spec:\n containers:\n - name: control-center\n image: control-center:latest\n ports:\n - containerPort: 8080\n env:\n - name: DATABASE_URL\n value: "surreal://surrealdb:8000"\n\n\n### Environment Variables\n\n\n# Override config values with environment variables\nexport CONTROL_CENTER_SERVER_PORT=8080\nexport CONTROL_CENTER_DATABASE_URL="surreal://prod-db:8000"\nexport CONTROL_CENTER_AUTH_JWT_SECRET="production-secret"\nexport CONTROL_CENTER_COMPLIANCE_SOC2_ENABLED=true\n\n\n## Monitoring & Observability\n\n### Metrics\n\n- Policy evaluation latency\n- Policy decision distribution\n- Anomaly detection rates\n- Compliance scores\n\n### Logging\n\n\n// Structured logging with tracing\ntracing::info!(\n policy_id = %policy.id,\n principal = %context.principal.id,\n decision = ?result.decision,\n duration_ms = evaluation_time,\n "Policy evaluation completed"\n);\n\n\n### Health Checks\n\n\ncurl http://localhost:8080/health\n\n\n## Contributing\n\n1. Follow the PAP principles documented in the codebase\n2. Add tests for new features\n3. Update documentation\n4. Ensure compliance checks pass\n5. Add appropriate logging and monitoring\n\n## License\n\nThis project follows the licensing specified in the parent repository.\n\n## Support\n\nFor questions and support, refer to the project documentation or create an issue in the repository.
