Skip to content

Add a CLI verb to set HTTP host read-only access (izba policy allow --read) #84

Description

@Lupus

What

Add a --read flag to izba policy allow so a user can restrict an HTTP(S) host to read-only access (GET/HEAD only) from the CLI, e.g. izba policy allow --read <NAME> <HOST>.

Why

The access: read control already exists in the policy model (Access::{Read,ReadWrite} in crates/izba-core/src/daemon/egress/config.rs) and is enforced by the HTTP layer, but it is unreachable without hand-editing policy.yaml. Meanwhile the git sub-surface exposes the equivalent split via izba policy git allow --write. This asymmetry makes read-only egress — a core least-privilege value for package mirrors and read-only APIs — undiscoverable and inconsistent. The gap was independently surfaced in loop-1 (D2) and loop-2 (U1) of the LLM dogfooding programme.

In Scope

  • Add a --read flag to the Allow variant in crates/izba-cli/src/commands/policy.rs, symmetric with GitSub::Allow's --write.
  • Wire the flag to Access::Read vs the existing Access::ReadWrite default when constructing the host entry.
  • Ensure izba policy show reflects the access: read annotation for hosts added this way.
  • Update the izba policy allow --help text to document --read and its effect.

Out of Scope

  • The git allow --write flag (already exists).
  • HTTP method enforcement logic (already implemented in the MITM layer).
  • Changing the default access level — omitting --read continues to produce access: read-write (back-compat).
  • A corresponding explicit --read-write flag (keep the default implicit).

Acceptance Criteria

  • izba policy allow --read <NAME> <HOST> records the host with access: read.
  • izba policy allow <NAME> <HOST> (no flag) continues to record access: read-write (back-compat preserved).
  • izba policy show <NAME> displays read vs read-write for each HTTP host entry.
  • A GET/HEAD request to a host added with --read succeeds and appears in izba netlog; a POST/PUT to it is blocked and the block appears in izba netlog.
  • The --help output for izba policy allow documents --read and its semantics.
  • Existing izba policy allow tests remain green; a test covers the --readAccess::Read path through the CLI.

INVEST Notes

  • Independent: a narrow CLI addition; the underlying Access::Read model and enforcement already exist.
  • Negotiable: flag naming (--read) and whether policy show wording changes are open.
  • Valuable: closes a real least-privilege discoverability gap and the HTTP/git asymmetry.
  • Estimable: yes — one clap flag, one conditional on Access::Read, a policy show display pass.
  • Small: S — one file plus a test; reuses existing enforcement + netlog for verification.
  • Testable: CLI --read writes access: read; netlog shows GET allowed / POST blocked.
  • Provenance: loop-1 D2 / loop-2 U1 dogfooding finding.

Metadata

Metadata

Assignees

No one assigned

    Labels

    effort:SSmall: focused change in one file or componentpriority:P2Medium: planned work; not blocking anything criticaltype:featureNew capability or user-visible behaviour not yet present

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions