Add Markitect check fixtures

examples/markitect/check_policy_package.md

@@ -0,0 +1,152 @@
+---
+id: markitect.gateway.check-fixtures
+name: Markitect gateway check fixtures
+namespace: markitect:gateway
+version: v1
+status: draft
+package: flexauth.markitect.gateway
+actions:
+  - read
+  - export
+  - activate_context
+owner: team:platform-architecture
+fixtures:
+  - check_fixtures.yaml
+caring:
+  profile: caring-0.4.0-rc2
+  enforce: false
+  canonical_roles:
+    - Doer
+    - Maintainer
+    - Verifier
+  organization_relations:
+    - Customer
+  scopes:
+    - level: Resource
+      id: document:public-note
+      tenant: tenant:alpha
+    - level: Resource
+      id: document:internal-note
+      tenant: tenant:alpha
+    - level: Dataset
+      id: context-package:internal-note-review
+      tenant: tenant:alpha
+  planes:
+    - Intent
+    - Data
+    - Audit
+  capabilities:
+    - View
+    - Export
+    - Use
+    - Execute
+  exposure_modes:
+    - Metadata
+    - Masked
+    - Plaintext
+    - Exportable
+  conditions:
+    - MFARequired
+    - PurposeBound
+    - Logged
+  restrictions:
+    - ExportBlocked
+metadata:
+  source: examples/markitect/check_policy_package.md
+---
+
+# Markitect Gateway Check Fixtures
+
+This package captures the first Markitect gateway scenarios as executable Rego
+and external fixtures.
+
+## Rules
+
+```rego
+import future.keywords.if
+import future.keywords.in
+
+default decision := {"effect": "deny", "reason": "no_matching_rule"}
+
+decision := {"effect": "allow", "reason": "public_document"} if {
+  input.action == "read"
+  input.resource.type == "document"
+  "public" in object.get(input.resource.attributes, "labels", [])
+}
+
+decision := {"effect": "allow", "reason": "reader_group"} if {
+  input.action == "read"
+  input.resource.type == "document"
+  "internal" in object.get(input.resource.attributes, "labels", [])
+  "group:platform-architecture" in object.get(input.subject.attributes, "groups", [])
+  "View" in input.caring_context.capabilities
+}
+
+decision := {
+  "effect": "allow",
+  "reason": "steward_export_mfa",
+  "conformance_findings": [{
+    "code": "MARKITECT-EXPORT-MFA-LOGGED",
+    "severity": "info",
+    "message": "Export is allowed only with steward role, MFA, and logging."
+  }]
+} if {
+  input.action == "export"
+  "steward" in object.get(input.subject.attributes, "roles", [])
+  input.context.mfa == true
+  "Export" in input.caring_context.capabilities
+  "Exportable" in input.caring_context.exposure_modes
+}
+
+decision := {
+  "effect": "allow",
+  "reason": "fresh_context_package",
+  "obligations": [{
+    "type": "record_context_activation",
+    "parameters": {"freshness_seconds": input.context.freshness_seconds}
+  }],
+  "conformance_findings": [{
+    "code": "MARKITECT-CONTEXT-FRESHNESS",
+    "severity": "info",
+    "message": "Context package activation includes policy version and freshness metadata."
+  }]
+} if {
+  input.action == "activate_context"
+  input.resource.type == "context_package"
+  input.policy_version != ""
+  input.context.freshness_seconds <= 900
+  "Use" in input.caring_context.capabilities
+  "Execute" in input.caring_context.capabilities
+}
+```
+
+## Tests
+
+```rego test
+package flexauth.markitect.gateway_test
+
+import future.keywords.if
+import data.flexauth.markitect.gateway
+
+test_public_document_allows if {
+  gateway.decision.effect == "allow" with input as {
+    "action": "read",
+    "resource": {
+      "type": "document",
+      "attributes": {"labels": ["public"]}
+    }
+  }
+}
+
+test_export_requires_mfa if {
+  gateway.decision.effect == "deny" with input as {
+    "action": "export",
+    "subject": {"attributes": {"roles": ["steward"]}},
+    "context": {"mfa": false},
+    "caring_context": {
+      "capabilities": ["Export"],
+      "exposure_modes": ["Exportable"]
+    }
+  }
+}
+```