Command Policy

Every Command. Your Rules.

Block dangerous operations, warn on risky commands, or observe silently across every database protocol. Automatic risk classification, and a full audit trail.

Three Enforcement Modes

Every policy is configurable per endpoint. Start in observe mode, promote to warn, then block when you're confident. Roll out gradually without disrupting traffic.

Block

Command rejected immediately. Native error returned to the client in the database's wire protocol. Metric emitted. Full stop.

Instant rejection at the proxy layer

Protocol-native error response

OTel counter: policy.blocked incremented

Audit log entry with full command context

Warn

Command allowed through to the backend. Warning metrics emitted. Visible in dashboards and the audit trail for review.

Command forwarded to backend normally

OTel counter: policy.warned incremented

Dashboard visibility for gradual rollout

Audit log entry for compliance review

Observe

Command allowed silently. Metrics recorded for analysis. Zero client-side impact. Use this mode to baseline your traffic before enforcing.

Completely transparent to the client

Metrics recorded for pattern analysis

Ideal for discovery and baselining

No performance impact on the request path

Redis Policy Presets

15 built-in presets covering every category of Redis command risk. Mix and match per endpoint, or build custom policies from scratch.

production

Blocks FLUSHALL, FLUSHDB, SHUTDOWN, DEBUG, CONFIG SET, and other dangerous commands

strict

Production plus KEYS, RANDOMKEY, SCAN-without-COUNT, and unbounded iteration

lenient

Minimal blocking — only commands that could crash or corrupt the server

flush

Blocks FLUSHALL and FLUSHDB specifically

keys

Blocks KEYS command to prevent O(N) full-keyspace scans

acl

Blocks ACL SETUSER, ACL DELUSER, ACL SAVE — prevents privilege escalation

config

Blocks CONFIG SET, CONFIG REWRITE — prevents runtime config tampering

debug

Blocks DEBUG SLEEP, DEBUG SEGFAULT, DEBUG SET-ACTIVE-EXPIRE

shutdown

Blocks SHUTDOWN to prevent accidental instance termination

persistence

Blocks BGSAVE, BGREWRITEAOF, RDB/AOF manipulation

module

Blocks MODULE LOAD/UNLOAD to prevent arbitrary code execution

migrate

Blocks MIGRATE, DUMP, RESTORE — prevents data exfiltration

replication

Blocks SLAVEOF, REPLICAOF, CLUSTER FAILOVER

scripting

Blocks EVAL, EVALSHA, FUNCTION — prevents arbitrary Lua/function execution

cluster_admin

Blocks CLUSTER RESET, CLUSTER FLUSHSLOTS, and other destructive cluster operations

PostgreSQL Risk Classification

Every PostgreSQL operation is automatically classified by impact level. Commands are categorized as they pass through the proxy and enforced through your chosen policy mode.

Safe

Normal queries — SELECT, INSERT, UPDATE, DELETE

Standard CRUD operations that operate within normal transaction boundaries. Always allowed regardless of policy mode.

WarnLargeData

COPY operations — bulk data ingestion and export

COPY IN/OUT, CopyData, CopyDone, CopyFail. Can move large volumes of data and consume significant I/O. Warned by default in production mode.

Blocking

VACUUM, REINDEX, CLUSTER — table-locking operations

Operations that acquire exclusive locks and can block other queries for extended periods. These should be scheduled during maintenance windows.

Dangerous

DROP, TRUNCATE, ALTER — destructive and schema-altering

Irreversible operations that destroy data or modify schema. Blocked by default in strict and production modes. OTel metrics emitted: postgres.policy.blocked.

Cross-Protocol Enforcement

The same three-tier enforcement model applies to every wire protocol Eden supports. One policy framework, every database.

Redis

RESP protocol interception. 15 named presets, 200+ commands classified. Blocks at the command parser before the backend ever sees the request.

FLUSHALL

KEYS *

CONFIG SET

DEBUG SEGFAULT

SHUTDOWN NOSAVE

PostgreSQL

PG wire protocol interception including Extended Query Protocol. Risk classification for Parse, Simple Query, and COPY operations.

DROP TABLE

TRUNCATE

VACUUM FULL

COPY TO STDOUT

ALTER SYSTEM

MongoDB

MongoDB wire protocol interception. Policy enforcement on operation type with the same Block/Warn/Observe model.

dropDatabase

dropCollection

collMod

compact

repairDatabase

Audit & Compliance

Every policy decision is recorded. Know who ran what, when, and from where — across every database protocol.

Service Attribution

Automatic service identification from PostgreSQL application_name startup parameter and Redis CLIENT SETINFO LIB-NAME. Know which service issued every command without any instrumentation.

Query Recording

Full query capture for blocked and warned commands. BlockedCommandRecorder and PgQueryRecorder traits with global OnceLock singletons ensure every policy decision includes the complete command context.

mTLS & Encryption

Mutual TLS for proxy connections with full certificate chain verification. TLS termination at the gateway layer with HTTP/2 support. All traffic between Eden and your backends is encrypted in transit.

Security Model

JWT Auth

Configurable expiry, per-organization scoping

RBAC

Role-based access control across all endpoints

Rate Limiting

Governor-based middleware per API route

Multi-Tenancy

Organization-scoped credential and endpoint isolation

Enforce Policy at the Gateway Layer

Stop dangerous commands before they reach your databases. Start in observe mode and promote to block when you're ready.