ZeroAlloc.Authorization 1.2.0

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher. 
dotnet add package ZeroAlloc.Authorization --version 1.2.0
                    


                    

                
NuGet\Install-Package ZeroAlloc.Authorization -Version 1.2.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="ZeroAlloc.Authorization" Version="1.2.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="ZeroAlloc.Authorization" Version="1.2.0" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="ZeroAlloc.Authorization" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add ZeroAlloc.Authorization --version 1.2.0
                    


                    

                
#r "nuget: ZeroAlloc.Authorization, 1.2.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package ZeroAlloc.Authorization@1.2.0
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=ZeroAlloc.Authorization&version=1.2.0
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=ZeroAlloc.Authorization&version=1.2.0
                    


                            Install as a Cake Tool

ZeroAlloc.Authorization

NuGet Build License: MIT AOT GitHub Sponsors

Authorization primitives for .NET. Five types — ISecurityContext, IAuthorizationPolicy, [Authorize], [AuthorizationPolicy], AnonymousSecurityContext — designed to be shared across hosts that need a unified policy contract.

Used by:

  • AI.Sentinel — tool-call authorization for IChatClient-based agents
  • ZeroAlloc.Mediator.Authorization (planned) — request-handler authorization

Install

dotnet add package ZeroAlloc.Authorization

Targets net8.0, net9.0, net10.0.

Host required. This package only ships the contract types. A host (AI.Sentinel, ZeroAlloc.Mediator.Authorization, your own dispatcher) must match [Authorize] to a registered [AuthorizationPolicy] and invoke IsAuthorized / IsAuthorizedAsync before dispatch.

Note: if you're in an ASP.NET Core project, using ZeroAlloc.Authorization; will collide with using Microsoft.AspNetCore.Authorization; over the [Authorize] name. Use a using alias (using ZAuthorize = ZeroAlloc.Authorization;) or fully-qualify one side at the call site.

The contract

public interface ISecurityContext
{
    string Id { get; }
    IReadOnlySet<string> Roles { get; }
    IReadOnlyDictionary<string, string> Claims { get; }
}

public interface IAuthorizationPolicy
{
    bool IsAuthorized(ISecurityContext ctx);
    ValueTask<bool> IsAuthorizedAsync(ISecurityContext ctx, CancellationToken ct = default)
        => ValueTask.FromResult(IsAuthorized(ctx));
}

Writing a policy

[AuthorizationPolicy("AdminOnly")]
public sealed class AdminOnlyPolicy : IAuthorizationPolicy
{
    public bool IsAuthorized(ISecurityContext ctx) => ctx.Roles.Contains("Admin");
}

Bind it on a method:

public sealed class UserService
{
    [Authorize("AdminOnly")]
    public Task DeleteUserAsync(string userId) { ... }
}

Hosts can extend ISecurityContext

Hosts define their own subinterface for richer payloads. AI.Sentinel adds IToolCallSecurityContext : ISecurityContext with ToolName + Args. Mediator.Authorization will add IRequestSecurityContext<TRequest>. Inside the policy body, downcast:

public bool IsAuthorized(ISecurityContext ctx)
    => ctx is IToolCallSecurityContext tc && tc.ToolName != "delete_database";

Async overrides

For I/O-bound checks (tenant lookup, external claims validation), override IsAuthorizedAsync:

public sealed class TenantPolicy(ITenantService tenants) : IAuthorizationPolicy
{
    public bool IsAuthorized(ISecurityContext ctx) =>
        throw new InvalidOperationException("Use async — tenant lookup is I/O-bound.");

    public async ValueTask<bool> IsAuthorizedAsync(ISecurityContext ctx, CancellationToken ct = default)
        => await tenants.IsActiveAsync(ctx.Id, ct).ConfigureAwait(false);
}

The host is responsible for calling the async overload.

Performance

BenchmarkDotNet (BDN ShortRun, .NET 10 release build, x64) — happy path on a simple role-check policy. The full release-time benchmark uses BDN's default job for tight confidence intervals; the indicative numbers below are from a development-time short run.

Method Mean Allocated
IsAuthorized ~9 ns 0 B
IsAuthorizedAsync ~31 ns 0 B
Evaluate ~7 ns 0 B
EvaluateAsync ~99 ns 0 B

Source: benchmarks/ZeroAlloc.Authorization.Benchmarks/PolicyEvaluationBenchmarks.cs.

The contract is enforced as zero-allocation by:

  1. <IsAotCompatible>true</IsAotCompatible> on the main library (build-time IL2026/IL3050 analyzers fire on any reflection regression).
  2. The samples/ZeroAlloc.Authorization.AotSmoke/ console app, exercised on each CI run with PublishAot=true.
  3. The benchmark project above.

License

MIT.

Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 is compatible.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages (1)

Showing the top 1 NuGet packages that depend on ZeroAlloc.Authorization:

Package Downloads
AI.Sentinel

Security monitoring middleware for IChatClient — prompt injection, hallucination, and operational anomaly detection with an intervention engine.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
1.2.0 0 5/6/2026
1.1.1 63 5/3/2026
1.1.0 535 5/1/2026