dadbodgeoff · dadbodgeoff · May 27, 2026 · May 26, 2026
diff --git a/drift v3/crates/drift-engine/src/check_command.rs b/drift v3/crates/drift-engine/src/check_command.rs
diff --git a/drift v3/crates/drift-engine/src/facts.rs b/drift v3/crates/drift-engine/src/facts.rs
@@ -20,6 +20,10 @@ pub enum FactKind {
     MiddlewareMatcherDeclared,
     MiddlewareProtectsRoute,
     RequestInputRead,
+    SessionRead,
+    TenantSource,
+    TenantGuardCalled,
+    AuthorizationGuardCalled,
     RequestValidationCalled,
     ValidatedInputUsed,
 }

diff --git a/drift v3/crates/drift-engine/src/lib.rs b/drift v3/crates/drift-engine/src/lib.rs
@@ -37,26 +37,35 @@ pub use security_control_flow::{
     validated_input_uses,
 };
 pub use security_facts::extract_security_facts;
+pub use security_facts::extract_security_facts_with_policy;
 pub use security_facts::extract_security_facts_with_validation;
 pub use security_patterns::{
-    AcceptedAuthHelper, AcceptedRequestValidator, AuthGuardBehavior, RequestValidatorBehavior,
-    RequestValidatorKind, dynamic_middleware_matcher_line,
+    AcceptedAuthHelper, AcceptedAuthorizationHelper, AcceptedHelperImport,
+    AcceptedRequestValidator, AcceptedTenantHelper, AuthGuardBehavior, AuthorizationHelperBehavior,
+    AuthorizationHelperKind, Phase4SecurityPolicy, RequestValidatorBehavior, RequestValidatorKind,
+    dynamic_middleware_matcher_line,
 };
 pub use security_proof::{
-    AuthBoundaryProof, MiddlewareBoundaryProof, RequestInputReadProof, RequestUnvalidatedUseProof,
+    AuthBoundaryProof, AuthorizationGuardProof, AuthorizationMissingProof, AuthorizationProof,
+    MiddlewareBoundaryProof, RequestInputReadProof, RequestUnvalidatedUseProof,
     RequestValidatedUseProof, RequestValidationCallProof, RequestValidationProof,
     RequestValidationProofScope, RouteSecurityBoundaryProof, SecurityBoundaryProof,
-    SecurityParserGap, SecurityProofResult, SecurityProofStatus, TrustedGuardCallProof,
-    UndominatedSinkProof, build_auth_boundary_proof, build_auth_boundary_proofs_for_file,
-    build_middleware_coverage_proof, build_request_validation_proof,
+    SecurityParserGap, SecurityProofResult, SecurityProofStatus, SessionMissingTrustProof,
+    SessionTrustBoundaryProof, SessionTrustProof, TenantMissingProof, TenantPredicateProof,
+    TenantProof, TenantSourceProof, TrustedGuardCallProof, UndominatedSinkProof,
+    build_auth_boundary_proof, build_auth_boundary_proofs_for_file,
+    build_middleware_coverage_proof, build_phase4_security_proof,
+    build_phase4_security_proof_with_policy, build_request_validation_proof,
     build_request_validation_proof_with_scope,
 };
 pub use security_rules::{
-    SecurityAuthContract, SecurityContractCapability, SecurityEnforcementMode, SecurityFinding,
-    SecurityFindingResult, SecurityMiddlewareContract, SecurityRequestValidationContract,
+    SecurityAuthContract, SecurityAuthorizationContract, SecurityContractCapability,
+    SecurityEnforcementMode, SecurityFinding, SecurityFindingResult, SecurityMiddlewareContract,
+    SecurityRequestValidationContract, SecurityTenantScopeContract,
     evaluate_api_route_requires_auth_helper,
     evaluate_api_route_requires_auth_helper_with_middleware,
-    evaluate_api_route_requires_request_validation, evaluate_middleware_must_cover_routes,
+    evaluate_api_route_requires_authorization, evaluate_api_route_requires_request_validation,
+    evaluate_api_route_requires_tenant_scope, evaluate_middleware_must_cover_routes,
 };
 
 #[derive(Debug, Clone, PartialEq, Eq)]

diff --git a/drift v3/crates/drift-engine/src/main.rs b/drift v3/crates/drift-engine/src/main.rs
@@ -738,6 +738,10 @@ fn fact_kind(kind: FactKind) -> &'static str {
         FactKind::MiddlewareMatcherDeclared => "middleware_matcher_declared",
         FactKind::MiddlewareProtectsRoute => "middleware_protects_route",
         FactKind::RequestInputRead => "request_input_read",
+        FactKind::SessionRead => "session_read",
+        FactKind::TenantSource => "tenant_source",
+        FactKind::TenantGuardCalled => "tenant_guard_called",
+        FactKind::AuthorizationGuardCalled => "authorization_guard_called",
         FactKind::RequestValidationCalled => "request_validation_called",
         FactKind::ValidatedInputUsed => "validated_input_used",
     }

diff --git a/drift v3/crates/drift-engine/src/security_capabilities.rs b/drift v3/crates/drift-engine/src/security_capabilities.rs
@@ -38,5 +38,26 @@ pub fn security_capabilities() -> Vec<SecurityScanCapability> {
             can_block: true,
             block_requires_accepted_convention: true,
         },
+        SecurityScanCapability {
+            name: "session_trust".to_string(),
+            capability: "deterministic_check".to_string(),
+            status: SecurityCapabilityStatus::Partial,
+            can_block: true,
+            block_requires_accepted_convention: true,
+        },
+        SecurityScanCapability {
+            name: "authorization".to_string(),
+            capability: "deterministic_check".to_string(),
+            status: SecurityCapabilityStatus::Partial,
+            can_block: true,
+            block_requires_accepted_convention: true,
+        },
+        SecurityScanCapability {
+            name: "tenant_scope".to_string(),
+            capability: "deterministic_check".to_string(),
+            status: SecurityCapabilityStatus::Partial,
+            can_block: true,
+            block_requires_accepted_convention: true,
+        },
     ]
 }