Enforcement Pipeline

Unified enterprise enforcement gate — RBAC, quota, policy, analytics, and anomaly detection in a single call.

The enforcement pipeline is the primary entry point for enterprise governance. It chains 6 stages in a single enforce() call: RBAC, quota, policy evaluation, incident creation, analytics recording, and anomaly detection.

Setup

import { createEnforcementPipeline } from '@lua-ai-global/governance-enterprise';

const pipeline = createEnforcementPipeline({
  tenantId: 'org_acme',
  gov,
  rbac,
  incidents,
  analytics,    // optional
  anomaly,      // optional
  quota: { storage, tenant },  // optional
  skipStages: [],
  autoIncidentSeverity: 'medium',
});

Pipeline Stages

The pipeline runs these stages in order. If any stage blocks, subsequent stages are skipped:

RBAC: Checks if the caller has the required permission for the action. Default permission: agents:write.
Quota: Verifies the tenant hasn't exceeded their plan's enforcement quota. Fail-open if quota service is unavailable.
Policy: Delegates to the core gov.enforce() — evaluates all policy rules against the proposed action.
Incident: If the action was blocked by policy, auto-creates an incident record (unless noAutoIncident is set).
Analytics: Records the enforcement event for fleet analytics dashboards.
Anomaly: Ingests the event into the anomaly detector for behavioral analysis.

Usage

const result = await pipeline.enforce({
  agentId: 'support-agent',
  agentName: 'Support Agent',
  action: 'tool_call',
  tool: 'ticket_update',
  requiredPermission: 'agents:write',
  callerRole: 'operator',
});

// result:
// {
//   allowed: true,
//   agentId: 'support-agent',
//   action: 'tool_call',
//   stagesPassed: ['rbac', 'quota', 'policy', 'analytics', 'anomaly'],
//   timestamp: '2026-03-10T14:30:00Z',
//   durationMs: 2.3,
// }

Blocked Result

// {
//   allowed: false,
//   blockedAt: 'policy',
//   blockReason: 'policy_blocked',
//   blockDetail: "Tool 'shell_exec' is blocked by policy",
//   stagesPassed: ['rbac', 'quota'],
//   incidentId: 'inc_abc123',
//   durationMs: 1.8,
// }

Types

type PipelineStage = 'rbac' | 'quota' | 'policy' | 'incident' | 'analytics' | 'anomaly';

type BlockReason = 'rbac_denied' | 'quota_exceeded' | 'policy_blocked' | 'pipeline_error';

interface PipelineResult {
  allowed: boolean;
  agentId: string;
  action: string;
  blockedAt?: PipelineStage;
  blockReason?: BlockReason;
  blockDetail?: string;
  stagesPassed: PipelineStage[];
  incidentId?: string;
  quotaStatus?: QuotaStatus;
  timestamp: string;
  durationMs: number;
}

Stats

const stats = pipeline.stats();
// {
//   total: 1240,
//   allowed: 1202,
//   blocked: 38,
//   blocksByStage: { rbac: 2, quota: 1, policy: 35, ... },
//   avgDurationMs: 2.1,
//   incidentsCreated: 35,
// }

Skipping Stages

For lightweight deployments or testing, skip individual stages:

const pipeline = createEnforcementPipeline({
  ...config,
  skipStages: ['analytics', 'anomaly'],
});

// Or per-call:
const result = await pipeline.enforce({
  ...input,
  skipStages: ['quota'],
});