Restrict KGL to IP module and add feature gating helper

tankdadank · tankdadank · commit 9029b0ec866f · 2026-02-16T11:56:05.000-06:00
diff --git a/src/lib.rs b/src/lib.rs
@@ -8,3 +8,5 @@ pub use i18n::{I18n, Locale};
 pub use build::fingerprint::{BuildFingerprint, BuildHash};
 pub use model::telemetry::TelemetryMode;
 pub use model::capabilities::{CapabilitySnapshot, FeatureFlags};
+pub use model::modules::ModuleId;
+pub use model::feature_gate::feature_allowed;
diff --git a/src/model/feature_gate.rs b/src/model/feature_gate.rs
@@ -0,0 +1,36 @@
+use crate::config::core::CoreConfig;
+use crate::model::capabilities::CapabilitySnapshot;
+use crate::model::modules::ModuleId;
+
+/// Returns true if a Korvex extra feature is allowed.
+///
+/// Enforces:
+/// - extras.enabled in core config must be true
+/// - local kill switch for "module.feature" must be enabled
+/// - capability snapshot must be present and allow the feature
+///
+/// For now, only ModuleId::Ip is defined.
+/// Example feature keys:
+///   "ip.whitelist"
+///   "ip.geo_identity"
+///   "ip.extended_history"
+pub fn feature_allowed(
+    cfg: &CoreConfig,
+    snapshot: Option<&CapabilitySnapshot>,
+    module: ModuleId,
+    feature: &str,
+) -> bool {
+    let key = format!("{}.{}", module.as_str(), feature);
+
+    // Global or feature-level disable
+    if !cfg.is_feature_enabled_locally(&key) {
+        return false;
+    }
+
+    let snapshot = match snapshot {
+        Some(s) => s,
+        None => return false,
+    };
+
+    snapshot.allows(&key)
+}
diff --git a/src/model/mod.rs b/src/model/mod.rs
@@ -1,2 +1,4 @@
 pub mod telemetry;
 pub mod capabilities;
+pub mod modules;
+pub mod feature_gate;
diff --git a/src/model/modules.rs b/src/model/modules.rs
@@ -0,0 +1,21 @@
+use serde::{Serialize, Deserialize};
+
+/// Current Guardian module supported by KGL.
+///
+/// For now only the IP module is defined.
+/// New modules (ssh-hardening, port-surface, integrity, ...) will be added later.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
+#[serde(rename_all = "kebab-case")]
+pub enum ModuleId {
+    /// IP module (whitelisting, geo, DNS, etc.).
+    Ip,
+}
+
+impl ModuleId {
+    /// Stable identifier used in configs and capability snapshots.
+    pub fn as_str(&self) -> &'static str {
+        match self {
+            ModuleId::Ip => "ip",
+        }
+    }
+}
