What
Add a --read flag to izba policy allow so a user can restrict an HTTP(S) host to read-only access (GET/HEAD only) from the CLI, e.g. izba policy allow --read <NAME> <HOST>.
Why
The access: read control already exists in the policy model (Access::{Read,ReadWrite} in crates/izba-core/src/daemon/egress/config.rs) and is enforced by the HTTP layer, but it is unreachable without hand-editing policy.yaml. Meanwhile the git sub-surface exposes the equivalent split via izba policy git allow --write. This asymmetry makes read-only egress — a core least-privilege value for package mirrors and read-only APIs — undiscoverable and inconsistent. The gap was independently surfaced in loop-1 (D2) and loop-2 (U1) of the LLM dogfooding programme.
In Scope
- Add a
--read flag to the Allow variant in crates/izba-cli/src/commands/policy.rs, symmetric with GitSub::Allow's --write.
- Wire the flag to
Access::Read vs the existing Access::ReadWrite default when constructing the host entry.
- Ensure
izba policy show reflects the access: read annotation for hosts added this way.
- Update the
izba policy allow --help text to document --read and its effect.
Out of Scope
- The
git allow --write flag (already exists).
- HTTP method enforcement logic (already implemented in the MITM layer).
- Changing the default access level — omitting
--read continues to produce access: read-write (back-compat).
- A corresponding explicit
--read-write flag (keep the default implicit).
Acceptance Criteria
INVEST Notes
- Independent: a narrow CLI addition; the underlying
Access::Read model and enforcement already exist.
- Negotiable: flag naming (
--read) and whether policy show wording changes are open.
- Valuable: closes a real least-privilege discoverability gap and the HTTP/git asymmetry.
- Estimable: yes — one clap flag, one conditional on
Access::Read, a policy show display pass.
- Small: S — one file plus a test; reuses existing enforcement + netlog for verification.
- Testable: CLI
--read writes access: read; netlog shows GET allowed / POST blocked.
- Provenance: loop-1 D2 / loop-2 U1 dogfooding finding.
What
Add a
--readflag toizba policy allowso a user can restrict an HTTP(S) host to read-only access (GET/HEAD only) from the CLI, e.g.izba policy allow --read <NAME> <HOST>.Why
The
access: readcontrol already exists in the policy model (Access::{Read,ReadWrite}incrates/izba-core/src/daemon/egress/config.rs) and is enforced by the HTTP layer, but it is unreachable without hand-editingpolicy.yaml. Meanwhile the git sub-surface exposes the equivalent split viaizba policy git allow --write. This asymmetry makes read-only egress — a core least-privilege value for package mirrors and read-only APIs — undiscoverable and inconsistent. The gap was independently surfaced in loop-1 (D2) and loop-2 (U1) of the LLM dogfooding programme.In Scope
--readflag to theAllowvariant incrates/izba-cli/src/commands/policy.rs, symmetric withGitSub::Allow's--write.Access::Readvs the existingAccess::ReadWritedefault when constructing the host entry.izba policy showreflects theaccess: readannotation for hosts added this way.izba policy allow--helptext to document--readand its effect.Out of Scope
git allow --writeflag (already exists).--readcontinues to produceaccess: read-write(back-compat).--read-writeflag (keep the default implicit).Acceptance Criteria
izba policy allow --read <NAME> <HOST>records the host withaccess: read.izba policy allow <NAME> <HOST>(no flag) continues to recordaccess: read-write(back-compat preserved).izba policy show <NAME>displaysreadvsread-writefor each HTTP host entry.--readsucceeds and appears inizba netlog; a POST/PUT to it is blocked and the block appears inizba netlog.--helpoutput forizba policy allowdocuments--readand its semantics.izba policy allowtests remain green; a test covers the--read→Access::Readpath through the CLI.INVEST Notes
Access::Readmodel and enforcement already exist.--read) and whetherpolicy showwording changes are open.Access::Read, apolicy showdisplay pass.--readwritesaccess: read; netlog shows GET allowed / POST blocked.