Context
Formal.ai offers policy backtesting against 31 days of real traffic — operators can see what a proposed policy would have done before activating it. This removes the fear of deploying a policy that breaks production queries. Gate already stores audit events with statement, query_type, username, and resource — the raw materials exist.
Proposal
Build a policy simulation/backtesting feature:
- API endpoint:
POST /api/v1/policies/{id}/simulate with time range parameter
- Engine: replay historical audit log entries through a candidate policy (draft or dry_run state)
- Output: summary of what the policy would have done:
- Total queries evaluated
- Queries that would have been allowed / blocked / masked
- Top blocked queries (with statement preview)
- Affected users and resources
- Admin UI: visual report showing the impact analysis before promotion to active
- Leverage existing Postgres audit log — no new data pipeline needed
Acceptance Criteria
Context
Formal.ai offers policy backtesting against 31 days of real traffic — operators can see what a proposed policy would have done before activating it. This removes the fear of deploying a policy that breaks production queries. Gate already stores audit events with statement, query_type, username, and resource — the raw materials exist.
Proposal
Build a policy simulation/backtesting feature:
POST /api/v1/policies/{id}/simulatewith time range parameterAcceptance Criteria