Implement policy package loader

examples/caring/README.md

@@ -1,8 +1,8 @@
 # CARING examples
 
 Small fixtures for the executable CARING 0.4.0-RC2 profile used by
-`FLEX-WP-0002 P2.1`.
+`FLEX-WP-0002`.
 
-These are intentionally compact. They are not policy-engine fixtures yet;
-they prove that the canonical descriptor, request, decision, registry, and
-audit shapes can round-trip through `pkg/api`.
+These are intentionally compact. They prove that the canonical descriptor,
+request, decision, registry, audit, and Rego-in-Markdown policy package
+shapes can round-trip through `pkg/api` and `internal/policy`.

examples/caring/policy_package.md

@@ -0,0 +1,137 @@
+---
+id: markitect.documents.internal-read
+name: Markitect internal document read
+namespace: markitect:document
+version: v1
+status: draft
+package: flexauth.markitect.documents
+actions:
+  - read
+owner: team:platform-architecture
+fixtures:
+  - policy_fixture.yaml
+caring:
+  profile: caring-0.4.0-rc2
+  enforce: false
+  canonical_roles:
+    - Doer
+  organization_relations:
+    - Customer
+  scopes:
+    - level: Resource
+      id: document:internal-note
+      tenant: tenant:alpha
+  planes:
+    - Data
+  capabilities:
+    - View
+  exposure_modes:
+    - Masked
+    - Plaintext
+  conditions:
+    - PurposeBound
+    - Logged
+  restrictions:
+    - ExportBlocked
+activation:
+  mode: local
+metadata:
+  source: examples/caring/policy_package.md
+---
+
+# Markitect Internal Document Read
+
+This package authorizes read access to an internal Markitect document when
+the request carries a CARING descriptor for a customer Doer with View
+capability on the document resource and an explicit ExportBlocked restriction.
+
+## Rules
+
+```rego
+import future.keywords.if
+import future.keywords.in
+
+default decision := {"effect": "deny", "reason": "no_matching_rule"}
+
+decision := {
+  "effect": "allow",
+  "reason": "reader_relation",
+  "conformance_findings": [{
+    "code": "CARING-EXPORT-SEPARATION",
+    "severity": "info",
+    "message": "View is allowed, but Exportable exposure remains separately blocked."
+  }]
+} if {
+  input.action == "read"
+  input.resource.system == "markitect-tool"
+  input.resource.type == "document"
+  input.caring_context.profile == "caring-0.4.0-rc2"
+  input.caring_context.organization_relation == "Customer"
+  input.caring_context.canonical_role == "Doer"
+  "View" in input.caring_context.capabilities
+  "ExportBlocked" in input.caring_context.restrictions
+}
+```
+
+## Tests
+
+```rego test
+package flexauth.markitect.documents_test
+
+import future.keywords.if
+import data.flexauth.markitect.documents
+
+test_reader_relation_allows if {
+  documents.decision.effect == "allow" with input as {
+    "action": "read",
+    "resource": {
+      "id": "document:internal-note",
+      "type": "document",
+      "system": "markitect-tool",
+      "tenant": "tenant:alpha"
+    },
+    "caring_context": {
+      "profile": "caring-0.4.0-rc2",
+      "organization_relation": "Customer",
+      "canonical_role": "Doer",
+      "capabilities": ["View"],
+      "restrictions": ["ExportBlocked"]
+    }
+  }
+}
+
+test_missing_caring_context_denies if {
+  documents.decision.effect == "deny" with input as {
+    "action": "read",
+    "resource": {
+      "id": "document:internal-note",
+      "type": "document",
+      "system": "markitect-tool",
+      "tenant": "tenant:alpha"
+    }
+  }
+}
+```
+
+## Fixtures
+
+```yaml fixture
+id: fixture:markitect-internal-read-deny
+request:
+  id: check:tenant-alpha-internal-note-deny
+  subject:
+    id: user:bob
+    type: Human
+    tenant: tenant:alpha
+  action: read
+  resource:
+    id: document:internal-note
+    type: document
+    system: markitect-tool
+    tenant: tenant:alpha
+expect:
+  effect: deny
+  reason: no_matching_rule
+metadata:
+  source: examples/caring/policy_package.md
+```