feat: initial APL Rust implementation.

[terylt]

feat/apl_rust — APL policy engine, identity stack, and pluggable IAM for CPEX Rust

This branch turns the Phase-1a CPEX Rust core into a full policy-driven, identity-aware plugin runtime — a Rust port of the Python apl-plugins design, with the conditional-effects work (when/do/parallel/taint) and the typed-hook plumbing the original lacked.

Scope: 24 commits, 240+ files, ~70k LOC. Tests: 746 across the workspace, 0 fail.

---

What's new — at a glance

Layer	Crate(s)	What it does
Policy language	apl-core	YAML → IR compiler + async evaluator. Predicates, field pipelines (mask, redact, omit, hash), conditional effects (when:/do:), sequential:/parallel:, content effects, PDP calls, taints, delegation.
CMF bridge	apl-cmf	Maps cpex-core::Extensions → APL's flat AttributeBag (role.*, perm.*, delegation.*, args.*, result.*, session.*) so predicates can read typed identity without knowing the shape of the underlying extension.
CPEX↔APL boundary	apl-cpex	The string-typed PluginInvoker / DelegationInvoker trait implementations that bridge APL's evaluator into typed CPEX hook dispatch (invoke_named::<CmfHook>, ::<TokenDelegateHook>). Owns the request-scoped CmfPluginInvoker, the route dispatch plan cache, the session store, and the synthetic AplRouteHandler plugin that wraps APL eval into a normal cpex-core plugin.
Concurrency primitive	cpex-orchestration	Shared run_branches helper — JoinSet + abort_on_deny + per-branch timeout. Used by both cpex-core::executor::run_concurrent_phase and apl-core::dispatch_parallel.

Identity & delegation

A first-class identity story, distinct from "auth happens upstream":

• SubjectExtension / WorkloadIdentity in cpex-core::extensions::security model end-user, calling agent, and our gateway as separate typed identities — the basis for predicates like require(role.hr), perm.view_ssn, and the new identity-derived session id.
• DelegationExtension + the TokenDelegateHook hook type carry an arbitrary chain of acting subjects with attenuated grants. Surfaces in APL as delegation.depth, delegation.chain[*], delegation.granted_permissions.
• apl-identity-jwt — JWT identity resolver with configurable claim mapping. Reads sub / act.sub / aud / roles / permissions into the structured extensions; raw claims preserved in subject.claims for tier-1 session resolution.
• apl-delegator-oauth — RFC 8693 token exchange. The mint-on-demand path: APL writes delegate(workday-oauth, audience: workday-api, permissions: [...]), the delegator hits the IdP, and the outbound request carries a freshly-minted audience-scoped token — never the user's original IdP JWT.
• apl-delegator-biscuit — Biscuit-based delegation as an alternative to OAuth token-exchange. Reference implementation for IETF draft-prakash-aip-00 (Agent Identity Protocol) "Chained Mode."
• 5-tier SessionResolver (apl-cpex/src/session_resolver.rs) — agent.session_id → JWT session_id claim → X-CPEX-Session-Id header → sha256(sub:caller:gateway)[:16] → none. Ported from Python apl-plugins, with the agent-tier added so plugins can inject pre-resolved session ids without inventing a new API.

PDP integration

APL can defer decisions to an external policy engine via a pdp(...) step. Two backends ship:

• apl-pdp-cedar-direct — In-process Cedar evaluation against an embedded policy store. Fast (no network) for tightly-coupled use cases.
• apl-cedarling — Cedarling-mediated (Janssen) Cedar evaluation. Adds signed policy stores, multi-issuer JWT validation, and (with Lock Server) centralized policy management. Pluggable via the PdpDialect enum so both can coexist on the same route.

Plugin ecosystem (proof the framework actually composes)

• apl-pii-scanner — cmf.tool_pre_invoke plugin that catches SSN/credit-card/etc. patterns in args. Returns PluginViolation with code pii.detected.
• apl-audit-logger — cmf.tool_pre_invoke audit plugin that logs every dispatch including denied ones. Demonstrates the audit/non-blocking plugin pattern.
• All plugins use the framework-native PluginError + PluginViolation types, follow the PluginConfig-only constructor convention, and live as their own crates with their own PluginFactory impls.

CPEX core changes

The runtime needed several enhancements to support the APL stack. These landed as standalone, generally-useful improvements:

• Effect IR consolidation (E4): Step enum collapsed into Effect. policy: is now Vec<Effect> directly. One IR vocabulary, one dispatch path (dispatch_effect), one static validator walk.
• Effect::Sequential / Effect::Parallel orchestration (E3): Side-effect lists run in-order-with-halt or concurrently-with-abort-on-deny. Built on the new cpex-orchestration::run_branches. Static parallel-purity validator rejects mutation effects inside parallel blocks at config-load.
• Plugin-mode validation (E3.1): Route-compile-time check that plugins inside parallel: blocks are registered with safe modes (Audit / Concurrent / FireAndForget). Sequential / Transform plugins are rejected — their writes would silently vanish in a discarded branch.
• Executor concurrent-phase refactor (E3.3): cpex-core::executor::run_concurrent_phase migrated from its custom JoinSet machinery to the shared run_branches. Fixed a latent panic-index attribution bug in the process.
• Session-scoped taint persistence (TS1): Effect::Taint { scopes: [Session] } now actually labels the session. New CmfPluginInvoker::apply_session_taints drains RouteDecision.taints into security.labels; the existing persist_session diff catches them and writes to the SessionStore. Closes the "policy with side-effects" pitch — writing taint(audit, session) in YAML actually causes the session to be permanently labelled and observable in subsequent requests.

Testing

Tier	Count
apl-core unit + IR + parser + evaluator	280+
apl-cmf end-to-end + bridge	~40
apl-cpex invokers + visitor + plan + resolver	~80
cpex-core runtime + executor + hooks	282
cpex-orchestration	7
apl-pdp-cedar-direct, apl-cedarling, apl-pii-scanner, apl-audit-logger, apl-delegator-*, apl-identity-jwt	~50 combined
Total	746 / 0 fail

Migration notes / breaking changes

• apl-core public API switched from evaluate_steps(&[Step], ...) to evaluate_effects(&[Effect], ...). Step is now a parser-internal pub(crate) type. Callers building Vec<Step> should switch to Vec<Effect> (Effect::When { condition, body, source } replaces Step::Rule(Rule)).
• Invoker trait refs widened from &dyn PluginInvoker to &Arc<dyn PluginInvoker> (same for DelegationInvoker and PdpResolver) so Effect::Parallel can spawn branches across OS threads. Consumers holding concrete types (e.g. Arc::new(CmfPluginInvoker::for_request(...))) need a one-line upcast: let invoker_dyn: Arc<dyn PluginInvoker> = invoker.clone();.
• Session ID resolution: CmfPluginInvoker no longer pulls only from extensions.agent.session_id. The 5-tier resolver kicks in. Existing callers that only set agent.session_id still work — it's tier 0, highest priority.