Skip to content

CONCEPT Cited by 1 source

Logging mode vs enforcement mode

Definition

In Meta's Policy Zones (and any IFC-style runtime enforcement system), a zone operates in one of two modes:

  • Logging mode — the runtime detects and records data flow violations but does not block the flow. The service continues to operate.
  • Enforcement mode — the runtime blocks any data flow that violates the zone's policy; the offending write or code path fails.

Zones start in logging mode, operators remediate surfaced violations, and then flip to enforcement mode. See patterns/logging-mode-to-enforcement-mode-rollout.

Why two modes

Flipping straight to enforcement in production would block legitimate flows whose annotations hadn't been set yet, breaking user-facing features before the policy rollout is complete. Logging mode is the observation window during which the full surface of affected flows becomes visible and can be fixed.

From the 2024-08-31 Meta PAI post:

"During the initial rollout of a new requirement, Policy Zones can be configured to allow remediations of flow violations in 'logging mode.' Once Policy Zones enforcement is enabled, any data flow with unremediated violations is denied. This also prevents new data flow violations, even if code changes or new code is added."

Relationship to fail-open vs fail-closed

Logging mode is effectively fail-open: violations are recorded but the flow is permitted so service doesn't break. Enforcement mode is fail-closed: violations block the flow unconditionally. The two-mode design lets operators choose when to flip from fail-open to fail-closed on a per-zone basis.

Relationship to staged rollout

Logging-to-enforcement is a correctness-constraint rollout pattern, not a traffic-shifting pattern. Canaries / percentage rollouts shift traffic; logging-mode shifts enforcement severity at fixed traffic. Complementary, not competing — both can run on the same deploy.

Seen in

Last updated · 319 distilled / 1,201 read