← All examples
ApiGateway
examples/ApiGateway.intent
ApiGateway.intent
1# ApiGateway.intent2# Domain: API gateway. Every request is authenticated, rate-limited, and routed by3# one admission policy. Deny by default; never forward an unauthenticated call to a4# protected route. The admission rule runs deterministically.56mission AdmitRequest7use product89title "Authenticate, rate-limit, and route an inbound API request"10for PlatformTeam1112goal13 Admit a request only when it is authenticated, within its rate limit, and bound14 for an allowed route.1516why17 The gateway is the front door. A weak admission policy leaks protected routes,18 lets one caller starve the rest, and forwards traffic nothing checked.1920requires21 Route22 RateLimitPolicy2324input25 authenticated: Flag26 routeAllowed: Flag27 remainingQuota: Count28 routeIsPublic: Flag2930output31 decision: AdmissionResult3233guarantee an authenticated caller within quota reaches an allowed route34 because the gateway must not block legitimate traffic it was built to serve35 verify happy path routing test3637guarantee a caller over its rate limit is throttled, not served38 because one caller must never exhaust capacity for everyone else39 verify rate limit test4041never42 forward an unauthenticated request to a protected route43 route to a path outside the allowlist4445never forward an unauthenticated request to a protected route46 because that is the exact bypass an API gateway exists to prevent47 verify auth enforcement test4849never route to a path outside the allowlist50 because an unlisted path is unowned surface with no contract behind it51 verify route allowlist test5253# Admission is deny-by-default: only an explicit Allow forwards. `intent run` / `intent test`.54decision AdmitRequest55 inputs56 authenticated57 routeIsPublic58 routeAllowed59 remainingQuota60 rule unknownRoute61 when routeAllowed == false62 return Reject63 rule needsAuth64 when routeIsPublic == false and authenticated == false65 return Reject66 rule overLimit67 when remainingQuota <= 068 return Throttle69 rule admit70 when routeAllowed == true71 return Forward72 default73 return Reject7475target76 OpenAPI77 Tests7879test AdmitRequest80 case authenticated within quota is forwarded81 given authenticated true, routeIsPublic false, routeAllowed true, remainingQuota 1082 expect Forward83 case unauthenticated to protected route is rejected84 given authenticated false, routeIsPublic false, routeAllowed true, remainingQuota 1085 expect Reject86 case public route needs no auth87 given authenticated false, routeIsPublic true, routeAllowed true, remainingQuota 1088 expect Forward89 case over rate limit is throttled90 given authenticated true, routeIsPublic false, routeAllowed true, remainingQuota 091 expect Throttle92 case unknown route is rejected93 given authenticated true, routeIsPublic false, routeAllowed false, remainingQuota 1094 expect RejectDraft syntax. This file is illustrative and does not run yet.
More examples
AlertRoutingBillingServiceCalculateRiskScoreCertificationAttemptCertificationCheckoutCertificationEligibilityCertificationStudyPlanCreateInvoiceCreateStudyPlanCustomerDataRequestDuplicateInvoicePreventionGroundedAnswerIngestClickstreamInvoiceCreatedNetworkEgressPolicyPlaceOrderResearchAgentRunResetPasswordStorefrontStyleSubscriptionUpgradeTenantIsolationUploadStudyMaterial