Skip to content
Stoma

Policy

Defined in: src/policies/types.ts:35

A Policy is a named middleware with priority ordering and optional protocol-agnostic evaluation.

  • handler - HTTP runtime entry point (Hono middleware). Used by createGateway.
  • evaluate - Protocol-agnostic entry point. Used by non-HTTP runtimes (ext_proc, WebSocket) to invoke the policy without Hono.
  • phases - Which processing phases this policy participates in. Used by phase-based runtimes to skip irrelevant policies.
  • httpOnly - Set to true for policies that can ONLY work with the HTTP protocol and don’t make sense for ext_proc or WebSocket.

Properties

Section titled “Properties”

evaluate?

Section titled “evaluate?”

optional evaluate: PolicyEvaluator

Defined in: src/policies/types.ts:53

Protocol-agnostic evaluation entry point.

Used by non-HTTP runtimes (ext_proc, WebSocket) to invoke this policy without Hono. The HTTP runtime (createGateway) uses handler directly and ignores this field.

Policies that implement evaluate work across all runtimes. Policies that only implement handler are HTTP-only.

handler

Section titled “handler”

handler: MiddlewareHandler

Defined in: src/policies/types.ts:39

The Hono middleware handler - HTTP runtime entry point.

httpOnly?

Section titled “httpOnly?”

optional httpOnly: true

Defined in: src/policies/types.ts:84

Set to true for policies that only work with the HTTP protocol.

These policies rely on HTTP-specific concepts (Request/Response objects, specific headers, HTTP status codes, etc.) and cannot be meaningfully evaluated in other protocols like ext_proc or WebSocket.

Examples:

  • cors - uses HTTP-specific Access-Control-* headers
  • ssl-enforce - HTTP-only protocol concept
  • proxy - HTTP-to-HTTP forwarding
  • mock - returns HTTP Response objects

Tooling can use this flag to:

  • Skip these policies when generating docs for non-HTTP runtimes
  • Warn if an HTTP-only policy is used in a non-HTTP gateway config

name

Section titled “name”

name: string

Defined in: src/policies/types.ts:37

Unique policy name (e.g. “jwt-auth”, “rate-limit”)

phases?

Section titled “phases?”

optional phases: ProcessingPhase[]

Defined in: src/policies/types.ts:65

Processing phases this policy participates in.

Used by phase-based runtimes (ext_proc) to skip policies that don’t apply to the current processing phase. For example, a JWT auth policy only needs "request-headers", while a response transform policy needs "response-headers" and "response-body".

Default: ["request-headers"] (most policies only inspect request headers).

priority?

Section titled “priority?”

optional priority: number

Defined in: src/policies/types.ts:41

Policy priority - lower numbers execute first. Default: 100.