@spec classify_risk(
  String.t(),
  keyword()
) :: risk_level()

Classify the risk level of an action based on pattern matching.

Uses :risk_mappings option or falls back to built-in heuristics based on action name prefixes.

Built-in Risk Heuristics

• "delete_", "drop_", "destroy_", "execute_", "run_" → :high
• "write_", "update_", "create_", "modify_", "send_" → :medium
• "read_", "get_", "list_", "search_" → :low
• Everything else → :medium

@spec compare_risk(risk_level(), risk_level()) :: :lt | :eq | :gt

Compare two risk levels.

Examples

iex> SigilGuard.Policy.compare_risk(:low, :high)
:lt

iex> SigilGuard.Policy.compare_risk(:high, :medium)
:gt

@spec ensure_rate_table(atom()) :: :ok

Ensure the ETS table used by rate_check/2 exists.

The default table is created automatically at application start; call this only to pre-create a custom :rate_store table from a process that outlives the callers (the table is owned by the process that creates it).

Safe to call concurrently — creation races resolve to the existing table.

@spec evaluate(String.t(), SigilGuard.Identity.trust_level(), keyword()) :: verdict()

Evaluate an action against a trust level.

Returns :allowed if trust is sufficient, {:confirm, reason} if the caller is one trust level below the threshold (allowing interactive confirmation), or :blocked otherwise.

Options

• :risk_level — override the risk classification (default: look up via :risk_mappings)
• :risk_mappings — map of action pattern to risk level
• :trust_thresholds — override default trust thresholds per risk level

Examples

iex> SigilGuard.Policy.evaluate("read_file", :medium)
:allowed

iex> SigilGuard.Policy.evaluate("delete_database", :low)
:blocked

@spec rate_check(
  String.t(),
  keyword()
) :: :ok | {:error, :rate_limited}

Perform a rate check for an identity performing an action.

Returns :ok if within limits, or {:error, :rate_limited} if exceeded.

This is a fixed-window counter: an identity's first request opens a window, requests within :window_ms count against :max_requests, and the next request after the window expires opens a fresh one. Two limits follow from that design — suitable for coarse abuse protection, not strict quotas:

• Check and increment are separate ETS operations, so concurrent callers can slightly exceed :max_requests under contention.
• Up to 2 × max_requests can pass in a burst straddling a window boundary, as with any fixed-window scheme.

For strict guarantees, implement the SigilGuard.Policy behaviour with a dedicated rate limiter backend.

Options

• :max_requests — maximum requests per window (default: 100)
• :window_ms — time window in milliseconds (default: 60_000)
• :rate_store — ETS table name for rate tracking (default: :sigil_guard_rates)

The default table is created at application start and lives as long as the application. A custom :rate_store table is created on first use and owned by the first calling process — its rate state is lost if that process exits.

@spec risk_levels() :: [risk_level(), ...]

Return all risk levels in ascending order.

Examples

iex> SigilGuard.Policy.risk_levels()
[:low, :medium, :high]

@spec trust_threshold(risk_level()) :: SigilGuard.Identity.trust_level()

Return the default trust threshold for a risk level.

Examples

iex> SigilGuard.Policy.trust_threshold(:high)
:high

iex> SigilGuard.Policy.trust_threshold(:low)
:low