CONCEPT Cited by 1 source
Logging mode vs enforcement mode¶
Definition¶
In Meta's Policy Zones (and any IFC-style runtime enforcement system), a zone operates in one of two modes:
- Logging mode — the runtime detects and records data flow violations but does not block the flow. The service continues to operate.
- Enforcement mode — the runtime blocks any data flow that violates the zone's policy; the offending write or code path fails.
Zones start in logging mode, operators remediate surfaced violations, and then flip to enforcement mode. See patterns/logging-mode-to-enforcement-mode-rollout.
Why two modes¶
Flipping straight to enforcement in production would block legitimate flows whose annotations hadn't been set yet, breaking user-facing features before the policy rollout is complete. Logging mode is the observation window during which the full surface of affected flows becomes visible and can be fixed.
From the 2024-08-31 Meta PAI post:
"During the initial rollout of a new requirement, Policy Zones can be configured to allow remediations of flow violations in 'logging mode.' Once Policy Zones enforcement is enabled, any data flow with unremediated violations is denied. This also prevents new data flow violations, even if code changes or new code is added."
Relationship to fail-open vs fail-closed¶
Logging mode is effectively fail-open: violations are recorded but the flow is permitted so service doesn't break. Enforcement mode is fail-closed: violations block the flow unconditionally. The two-mode design lets operators choose when to flip from fail-open to fail-closed on a per-zone basis.
Relationship to staged rollout¶
Logging-to-enforcement is a correctness-constraint rollout pattern, not a traffic-shifting pattern. Canaries / percentage rollouts shift traffic; logging-mode shifts enforcement severity at fixed traffic. Complementary, not competing — both can run on the same deploy.
Seen in¶
- sources/2024-08-31-meta-enforces-purpose-limitation-via-privacy-aware-infrastructure — canonical surfacing. Policy Zones' two-mode design is the load-bearing rollout primitive underneath multi-year PAI adoption across thousands of engineers.
Related¶
- concepts/data-flow-violation — the event the two modes handle differently.
- concepts/information-flow-control — the parent primitive.
- concepts/data-annotation — what must be in place before flipping to enforcement.
- concepts/fail-open-vs-fail-closed — the general safety pattern.
- systems/meta-policy-zones — canonical implementation.
- systems/meta-policy-zone-manager — operator UX.
- patterns/logging-mode-to-enforcement-mode-rollout — the full rollout pattern.
- patterns/staged-rollout — traffic-axis sibling.
- companies/meta