Snapshot Runtime Context Specification
The snapshot context represents read-only business or resource state available during policy evaluation.
It captures the state of the world at decision time.
Purpose
Snapshot is ideal for:
- account balance
- ownership
- lifecycle stage
- fraud flags
- tenant plan
- lock status
- quota usage
Typical usage:
subject:
domain: snapshot
field: balance
operator: greater_than
value:
literal: 0
Runtime Shape
snapshot:
balance: 50000
tier: enterprise
is_locked: false
Type: Mapping of snapshot field names to scalar values
Supported scalar values:
- string
- number
- boolean
Must conform to the declared schema.
Resolution Semantics
Snapshot references resolve from:
input.snapshot["field"]
Missing fields return non-match (false) for fail-safe evaluation.
Strategic Role
Snapshot should represent resource or business state, not caller identity.
This separation is important:
actor= who is callingaction= what is being attemptedsnapshot= current system state
This three-way split makes policies highly auditable.
Common Governance Use Cases
- block suspended accounts
- require approval above balance thresholds
- prevent locked resource mutation
- restrict cross-tenant ownership transfer
Best Practices
- keep snapshot read-only
- use for current state, not request metadata
- avoid duplicating actor fields
- prefer lifecycle and ownership fields