Policy & Decision Engines

Use this path when the real governed surface is Cedar, Drools, IBM ODM, or OPA rather than a generic application runtime.

These are first-class setup docs for deterministic policy and decision engines, not a footnote under generic runtime instrumentation.

Use This Page When...

• Cedar authorization is the real decision surface
• Drools is firing the consequential rules
• IBM ODM is the live business-rules execution layer
• OPA policy evaluation is the thing you actually need to prove

Quick Package Map

The Setup Flow

1. Complete governance setup in the app: programs, applicability, obligations, controls, approval.
2. Pin the policy or rule version you are actually evaluating.
3. Wrap the real engine evaluation call with the matching adapter.
4. Record the evaluation after the engine returns its real result.
5. Emit the VPEC and verify it locally with primust-verify.

The core rule is simple: do not instrument around the engine if the engine itself is where the consequential decision happens.

What You Usually Get Back

These adapters are strong because the policy engines are deterministic. Same input plus same pinned policy or rule base should produce the same result.

Cedar

Use primust-cedar when Cedar authorization is the live decision surface.

<dependency>
  <groupId>com.primust</groupId>
  <artifactId>primust-cedar</artifactId>
  <version>0.1.0</version>
</dependency>

Setup pattern: keep your existing isAuthorized() call, then record the evaluation with the adapter and the pinned policy-set hash.

• Pin: SHA-256(policy_set)
• Record after: Cedar decision returns
• Why it is strong: deterministic authz evaluation with local commitments

Drools

Use primust-drools when Drools KIE is firing the real consequential rules.

<dependency>
  <groupId>com.primust</groupId>
  <artifactId>primust-drools</artifactId>
  <version>0.1.0</version>
</dependency>

Setup pattern: keep your existing KieSession.fireAllRules() flow, then record the evaluation or per-rule details after execution.

• Pin: the active rule base
• Record after: fireAllRules()
• Why it is strong: same facts plus same rules equals same outcome

IBM ODM

Use primust-odm when IBM ODM is the business-rules execution layer you actually rely on.

<dependency>
  <groupId>com.primust</groupId>
  <artifactId>primust-odm</artifactId>
  <version>0.1.0</version>
</dependency>

Setup pattern: keep your existing IlrStatelessSession.execute() flow, then record the ruleset parameters, rules fired, and decision output.

• Pin: rule app and rule set
• Record after: ODM execution returns
• Special note: ODM runtime JARs come from IBM Passport Advantage, not Maven Central

OPA

Use primust-opa when OPA Rego policy evaluation is the real policy boundary.

go get github.com/primust-dev/primust-opa

Setup pattern: keep your existing rego.PreparedEvalQuery, then run it through the adapter’s Eval() with a pinned policy hash.

• Pin: SHA-256(rego)
• Record during: adapter-managed Eval()
• Why it is strong: deterministic policy evaluation with local input and output commitments

Verify The Result

pip install primust-verify
primust verify vpec.json --trust-root primust-pubkey.pem

The local verifier is still the preferred review path for production or audit use.

Policy Engines vs Connectors

Primust Docs · dedicated setup guide for deterministic policy and decision engines.