Documentation

Safety Kernel

The Safety Kernel is Cordum’s policy decision point. It evaluates input policy before dispatch, supports constraint-bearing responses, merges file and config-service bundles, and exposes gRPC methods for evaluation, explanation, simulation, and snapshot inspection.

Decision types

allowdenyrequire_approvalthrottleallow_with_constraints

Unavailability is not a policy decision enum. Gateway and scheduler each have separate fail-mode configuration for safety-service outages.

Match fields

tenantstopicscapabilitiesrisk_tagsrequirespack_idsactor_idsactor_typeslabelssecrets_presentmcp

Policy model

safety.yaml

rules:
  - id: deny-prod-delete
    decision: deny
    reason: "Only approved workflows may delete production data"
    match:
      topics: ["job.db.delete"]
      risk_tags: ["prod", "write"]

  - id: require-approval-kubectl
    decision: require_approval
    match:
      capabilities: ["kubectl.apply"]
      actor_types: ["service"]

  - id: constrain-heavy-jobs
    decision: allow_with_constraints
    match:
      risk_tags: ["network"]

MCP-aware rules are also supported through themcpmatch block and allow/deny lists for servers, tools, resources, and actions.

safety.proto

service SafetyKernel {
  rpc Check(PolicyCheckRequest) returns (PolicyCheckResponse);
  rpc Evaluate(PolicyCheckRequest) returns (PolicyCheckResponse);
  rpc Explain(PolicyCheckRequest) returns (PolicyCheckResponse);
  rpc Simulate(PolicyCheckRequest) returns (PolicyCheckResponse);
  rpc ListSnapshots(ListSnapshotsRequest) returns (ListSnapshotsResponse);
}

Overlays and reloads

Base policy can come from SAFETY_POLICY_PATH or SAFETY_POLICY_URL.
Config-service fragments are merged from cfg:system:policy by default.
Policies hot-reload on a configurable interval and maintain recent snapshot history.
In production, Ed25519 policy signature verification is enforced unless explicitly disabled.

Source of truth:docs/safety-kernel.md