@@ -27,7 +27,7 @@ It should carry:
2727- entry transport: CONNECT, forward HTTP, transparent TCP, local HTTP, policy
2828 DNS, or metadata loopback;
2929- requested destination host/port or captured original IP/port;
30- - process identity inputs collected by the adapter/runtime;
30+ - optional process identity inputs collected by the adapter/runtime;
3131- optional first HTTP request for forward proxy traffic;
3232- optional local service route;
3333- policy generation or DNS mapping generation when relevant.
@@ -46,7 +46,7 @@ It should carry:
4646- whether the policy is user-authored, provider-derived, or local-service
4747 internal;
4848- deterministic matched endpoint identifier and endpoint metadata;
49- - process identity used for evaluation;
49+ - process identity availability and any identity fields used for evaluation;
5050- destination and allowed IP constraints;
5151- TLS behavior;
5252- protocol enforcement;
@@ -94,7 +94,7 @@ enum EgressTransport {
9494struct EgressIntent {
9595 transport : EgressTransport ,
9696 destination : RequestedDestination ,
97- process : ProcessIdentity ,
97+ process : ProcessIdentityEvidence ,
9898 first_request : Option <ParsedHttpRequest >,
9999 local_route : Option <LocalRoute >,
100100 generation : Option <PolicyGeneration >,
@@ -104,10 +104,27 @@ struct EgressDecision {
104104 outcome : PolicyOutcome ,
105105 matched_policy : Option <MatchedPolicy >,
106106 endpoint : Option <MatchedEndpoint >,
107+ process : EvaluatedProcessIdentity ,
107108 request_processing : RequestProcessingPlan ,
108109 log_context : EgressLogContext ,
109110}
110111
112+ enum ProcessIdentityEvidence {
113+ Available (ProcessIdentity ),
114+ Unavailable (ProcessIdentityUnavailableReason ),
115+ }
116+
117+ enum ProcessIdentityUnavailableReason {
118+ RuntimeMode ,
119+ UnsupportedAdapter ,
120+ LookupFailed ,
121+ }
122+
123+ struct EvaluatedProcessIdentity {
124+ evidence : ProcessIdentityEvidence ,
125+ fields_used : Vec <ProcessIdentityField >,
126+ }
127+
111128struct MatchedPolicy {
112129 id : PolicyId ,
113130 source : PolicySource ,
@@ -213,6 +230,27 @@ struct RelayContext {
213230validated destination and lets relays/processors open an upstream connection
214231only after protocol policy allows it.
215232
233+ ## Process Identity Availability
234+
235+ Process identity is evidence, not an always-present input. Embedded supervisor
236+ mode can usually populate binary, PID, ancestry, command-line path, and binary
237+ hash data. Network-only, standalone binary, or sidecar proxy modes may
238+ intentionally have no local process metadata. That should be represented as
239+ ` ProcessIdentityEvidence::Unavailable(RuntimeMode) ` , not as an empty string
240+ that accidentally matches policy.
241+
242+ Authorization should evaluate only identity dimensions that are available. If
243+ no identity is available, binary/path scoped policy should either be skipped as
244+ non-matching or rejected at policy/capability validation time, depending on the
245+ runtime mode contract. The important invariant is that missing identity must
246+ not produce a synthetic binary, broaden a binary-scoped allow rule, or cause
247+ the relay to query process metadata later. During ` EgressDecision ` hydration,
248+ absent process evidence should be carried forward as unavailable identity and
249+ process-derived fields should be omitted from the hydrated decision. The
250+ decision should record identity availability and fields used so OCSF logs and
251+ deny responses can distinguish "policy denied this binary" from "this runtime
252+ did not provide process identity."
253+
216254## Current Owners And Proposed Cleanup
217255
218256| Current owner | Current responsibility | Proposed cleanup |
0 commit comments