generated from coulomb/repo-seed
Topaz alignment spike — mapping doc + green e2e example
Closes FLEX-WP-0005 T04. Validates ADR-003's commitment to shape the
standalone core for cheap Topaz adapter work.
Spike output:
- docs/topaz-mapping-spike.md — vocabulary map (subject, group, tenant,
knowledge_base, document, plus parent / owner_team / reader / steward /
member relations), Rego module shape, decision envelope, wire-protocol
ranking (gRPC primary, REST fallback, embedding rejected), schema
restatement recommendation, implications for FLEX-WP-0002 / 0004.
- examples/topaz/ — runnable docker-compose deploying Topaz with the
flex-auth-shaped manifest. seed and probe one-shots cover three
scenarios: alice (steward) allow, bob (group→reader) allow, eve
(outsider) deny. End-to-end green on 2026-05-16:
probe: steward-allow OK (check=true)
probe: reader-allow OK (check=true)
probe: outsider-deny OK (check=false)
probe: all checks passed
Key findings recorded as Implementation Notes in the spike doc:
- Rego input contract bridging (Topaz raw shape ↔ flex-auth canonical
shape) is adapter scope, not core scope.
- Topaz identity objects are a Topaz convention; the adapter
materializes them at directory import time.
- Directory-only permission resolution is sufficient for the common
case; Rego is reserved for context-dependent decisions.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
107
examples/topaz/cfg/config.yaml
Normal file
107
examples/topaz/cfg/config.yaml
Normal file
@@ -0,0 +1,107 @@
|
||||
# Topaz config for the flex-auth alignment spike.
|
||||
# Plaintext HTTP gateways for local convenience — never use this shape
|
||||
# in production. See docs/topaz-mapping-spike.md.
|
||||
|
||||
version: 2
|
||||
|
||||
logging:
|
||||
prod: false
|
||||
log_level: info
|
||||
|
||||
directory:
|
||||
db_path: /db/directory.db
|
||||
request_timeout: 5s
|
||||
seed_metadata: false
|
||||
|
||||
remote_directory:
|
||||
address: "0.0.0.0:9292"
|
||||
insecure: true
|
||||
|
||||
jwt:
|
||||
acceptable_time_skew_seconds: 5
|
||||
|
||||
api:
|
||||
health:
|
||||
listen_address: "0.0.0.0:9494"
|
||||
metrics:
|
||||
listen_address: "0.0.0.0:9696"
|
||||
services:
|
||||
reader:
|
||||
grpc:
|
||||
listen_address: "0.0.0.0:9292"
|
||||
certs:
|
||||
tls_key_path: "/certs/grpc.key"
|
||||
tls_cert_path: "/certs/grpc.crt"
|
||||
tls_ca_cert_path: "/certs/grpc-ca.crt"
|
||||
gateway:
|
||||
listen_address: "0.0.0.0:9393"
|
||||
allowed_origins:
|
||||
- "*"
|
||||
http: true
|
||||
read_timeout: 2s
|
||||
write_timeout: 2s
|
||||
idle_timeout: 30s
|
||||
writer:
|
||||
needs: [reader]
|
||||
grpc:
|
||||
listen_address: "0.0.0.0:9292"
|
||||
certs:
|
||||
tls_key_path: "/certs/grpc.key"
|
||||
tls_cert_path: "/certs/grpc.crt"
|
||||
tls_ca_cert_path: "/certs/grpc-ca.crt"
|
||||
gateway:
|
||||
listen_address: "0.0.0.0:9393"
|
||||
allowed_origins: ["*"]
|
||||
http: true
|
||||
model:
|
||||
needs: [reader]
|
||||
grpc:
|
||||
listen_address: "0.0.0.0:9292"
|
||||
certs:
|
||||
tls_key_path: "/certs/grpc.key"
|
||||
tls_cert_path: "/certs/grpc.crt"
|
||||
tls_ca_cert_path: "/certs/grpc-ca.crt"
|
||||
gateway:
|
||||
listen_address: "0.0.0.0:9393"
|
||||
allowed_origins: ["*"]
|
||||
http: true
|
||||
exporter:
|
||||
needs: [reader]
|
||||
grpc:
|
||||
listen_address: "0.0.0.0:9292"
|
||||
certs:
|
||||
tls_key_path: "/certs/grpc.key"
|
||||
tls_cert_path: "/certs/grpc.crt"
|
||||
tls_ca_cert_path: "/certs/grpc-ca.crt"
|
||||
importer:
|
||||
needs: [reader]
|
||||
grpc:
|
||||
listen_address: "0.0.0.0:9292"
|
||||
certs:
|
||||
tls_key_path: "/certs/grpc.key"
|
||||
tls_cert_path: "/certs/grpc.crt"
|
||||
tls_ca_cert_path: "/certs/grpc-ca.crt"
|
||||
authorizer:
|
||||
needs: [reader]
|
||||
grpc:
|
||||
connection_timeout_seconds: 2
|
||||
listen_address: "0.0.0.0:8282"
|
||||
certs:
|
||||
tls_key_path: "/certs/grpc.key"
|
||||
tls_cert_path: "/certs/grpc.crt"
|
||||
tls_ca_cert_path: "/certs/grpc-ca.crt"
|
||||
gateway:
|
||||
listen_address: "0.0.0.0:8383"
|
||||
allowed_origins: ["*"]
|
||||
http: true
|
||||
read_timeout: 2s
|
||||
write_timeout: 2s
|
||||
idle_timeout: 30s
|
||||
|
||||
opa:
|
||||
instance_id: "flex-auth-spike"
|
||||
graceful_shutdown_period_seconds: 2
|
||||
local_bundles:
|
||||
paths:
|
||||
- "/bundle"
|
||||
skip_verification: true
|
||||
Reference in New Issue
Block a user