TitaniumGuard
Rule Engine Policy | Docs | TitaniumGuard

Rule Engine Policy

Proxy Rule Engine Policy

TitaniumGuard Proxy now uses the rule engine as the only traffic flow control path for HTTP and CONNECT traffic.

Canonical policy spec artifact:

  • products/proxy/proxy_rule_engine_policy_spec.json

Minimal runtime config

{
  "policy_file_path": "/etc/titaniumguard/proxy-policy.json",
  "identity_headers": {
    "org": "x-tg-org",
    "team": "x-tg-team",
    "user": "x-tg-user",
    "groups": "x-tg-groups"
  },
  "rule_engine": {
    "max_trace_facts": 64,
    "enable_explain_logs": true
  }
}

Example: Global deny + org allow

{
  "defaults": { "action": "DENY", "log_level": "info", "fail_closed": true },
  "evaluation": {
    "mode": "ORDERED",
    "first_match_wins": true,
    "tie_breakers": ["priority_desc", "specificity_desc", "updated_at_desc", "rule_id_asc"],
    "merge_rule_sets": ["global-baseline", "org-overrides"]
  },
  "rule_sets": [
    {
      "id": "global-baseline",
      "scope": "GLOBAL",
      "enabled": true,
      "rules": [
        {
          "id": "deny-malware",
          "enabled": true,
          "priority": 900,
          "description": "Block malware",
          "when": { "all": [{ "field": "req.host", "op": "ENDS_WITH", "value": ".malware.test" }], "any": [], "not": [] },
          "action": { "type": "DENY", "deny": { "reason": "malware_domain", "status_code": 403, "body": "Blocked" } },
          "provenance": { "created_at": "2026-03-04T00:00:00Z", "updated_at": "2026-03-04T00:00:00Z", "created_by": "security" }
        }
      ]
    },
    {
      "id": "org-overrides",
      "scope": "ORG",
      "enabled": true,
      "selectors": { "org_id": "acme" },
      "rules": [
        {
          "id": "allow-saas",
          "enabled": true,
          "priority": 700,
          "description": "Allow approved SaaS",
          "when": { "all": [{ "field": "req.host", "op": "IN", "value": ["slack.com", "github.com"] }], "any": [], "not": [] },
          "action": { "type": "ALLOW" },
          "provenance": { "created_at": "2026-03-04T00:00:00Z", "updated_at": "2026-03-04T00:00:00Z", "created_by": "org-admin" }
        }
      ]
    }
  ]
}

Explain trace

{
  "decision": "DENY",
  "matched_rule_id": "deny-malware-domains",
  "matched_rule_set_id": "global-baseline",
  "reason": "malware_domain",
  "status_code": 403,
  "evaluated": [
    { "rule_id": "deny-malware-domains", "matched": true, "short_circuit_reason": "first_match_wins" }
  ],
  "extracted_facts": {
    "req.host": "bad.malware.test",
    "req.method": "GET",
    "client.auth.org": "acme"
  }
}