coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Markitect check fixtures
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-17 06:32:05 +02:00
parent 96e53bf1d9
commit 7e09a21c5f
5 changed files with 457 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

239
examples/markitect/check_fixtures.yaml Normal file
View File

@@ -0,0 +1,239 @@
- id: fixture:markitect-public-document-allow
request:
id: check:markitect-public-document
subject:
id: user:visitor
type: Human
tenant: tenant:alpha
action: read
resource:
id: document:public-note
type: document
system: markitect-tool
tenant: tenant:alpha
attributes:
labels:
- public
trust_zone: public
caring_context:
id: descriptor:public-document-reader
profile: caring-0.4.0-rc2
subject_type: Human
organization_relation: Customer
canonical_role: Doer
scope:
level: Resource
id: document:public-note
tenant: tenant:alpha
planes:
- Data
capabilities:
- View
exposure_modes:
- Plaintext
conditions:
- Logged
expect:
effect: allow
reason: public_document
metadata:
expected_caring_descriptor: descriptor:public-document-reader
expected_conformance_findings: []
expected_exposure_modes:
- Plaintext
expected_audit_behavior: sampled_allow
- id: fixture:markitect-internal-document-deny
request:
id: check:markitect-internal-document-deny
subject:
id: user:visitor
type: Human
tenant: tenant:alpha
attributes:
groups: []
action: read
resource:
id: document:internal-note
type: document
system: markitect-tool
tenant: tenant:alpha
attributes:
labels:
- internal
trust_zone: internal
expect:
effect: deny
reason: no_matching_rule
metadata:
expected_caring_descriptor: null
expected_conformance_findings: []
expected_exposure_modes:
- None
expected_audit_behavior: always_record
- id: fixture:markitect-internal-document-reader-allow
request:
id: check:markitect-internal-document-reader
subject:
id: user:alice
type: Human
tenant: tenant:alpha
attributes:
groups:
- group:platform-architecture
action: read
resource:
id: document:internal-note
type: document
system: markitect-tool
tenant: tenant:alpha
attributes:
labels:
- internal
trust_zone: internal
caring_context:
id: descriptor:internal-document-reader
profile: caring-0.4.0-rc2
subject_type: Human
organization_relation: Customer
canonical_role: Doer
scope:
level: Resource
id: document:internal-note
tenant: tenant:alpha
planes:
- Data
capabilities:
- View
exposure_modes:
- Masked
- Plaintext
conditions:
- Logged
restrictions:
- ExportBlocked
expect:
effect: allow
reason: reader_group
metadata:
expected_caring_descriptor: descriptor:internal-document-reader
expected_conformance_findings: []
expected_exposure_modes:
- Masked
- Plaintext
expected_audit_behavior: sampled_allow
- id: fixture:markitect-restricted-export-steward-mfa
request:
id: check:markitect-restricted-export
subject:
id: user:steward
type: Human
tenant: tenant:alpha
attributes:
roles:
- steward
action: export
resource:
id: export:internal-note-review-bundle
type: export
system: markitect-tool
tenant: tenant:alpha
attributes:
labels:
- export
trust_zone: external
context:
mfa: true
reason: customer-approved export
caring_context:
id: descriptor:restricted-export-steward
profile: caring-0.4.0-rc2
subject_type: Human
organization_relation: Customer
canonical_role: Maintainer
scope:
level: Record
id: export:internal-note-review-bundle
tenant: tenant:alpha
planes:
- Data
- Audit
capabilities:
- Export
exposure_modes:
- Exportable
- Plaintext
conditions:
- MFARequired
- Logged
expect:
effect: allow
reason: steward_export_mfa
conformance_findings:
- code: MARKITECT-EXPORT-MFA-LOGGED
severity: info
message: Export is allowed only with steward role, MFA, and logging.
metadata:
expected_caring_descriptor: descriptor:restricted-export-steward
expected_exposure_modes:
- Exportable
- Plaintext
expected_audit_behavior: always_record
- id: fixture:markitect-context-package-activation
request:
id: check:markitect-context-package-activation
subject:
id: user:alice
type: Human
tenant: tenant:alpha
action: activate_context
resource:
id: context-package:internal-note-review
type: context_package
system: markitect-tool
tenant: tenant:alpha
attributes:
labels:
- internal
- generated
context:
freshness_seconds: 600
policy_version: markitect-gateway-v1
caring_context:
id: descriptor:context-package-activation
profile: caring-0.4.0-rc2
subject_type: Human
organization_relation: Customer
canonical_role: Verifier
scope:
level: Dataset
id: context-package:internal-note-review
tenant: tenant:alpha
planes:
- Intent
- Policy
capabilities:
- Use
- Execute
exposure_modes:
- Metadata
- Masked
conditions:
- PurposeBound
- Logged
expect:
effect: allow
reason: fresh_context_package
obligations:
- type: record_context_activation
parameters:
freshness_seconds: 600
conformance_findings:
- code: MARKITECT-CONTEXT-FRESHNESS
severity: info
message: Context package activation includes policy version and freshness metadata.
metadata:
expected_caring_descriptor: descriptor:context-package-activation
expected_exposure_modes:
- Metadata
- Masked
expected_audit_behavior: always_record