Topaz alignment spike — mapping doc + green e2e example

Closes FLEX-WP-0005 T04. Validates ADR-003's commitment to shape the standalone core for cheap Topaz adapter work. Spike output: - docs/topaz-mapping-spike.md — vocabulary map (subject, group, tenant, knowledge_base, document, plus parent / owner_team / reader / steward / member relations), Rego module shape, decision envelope, wire-protocol ranking (gRPC primary, REST fallback, embedding rejected), schema restatement recommendation, implications for FLEX-WP-0002 / 0004. - examples/topaz/ — runnable docker-compose deploying Topaz with the flex-auth-shaped manifest. seed and probe one-shots cover three scenarios: alice (steward) allow, bob (group→reader) allow, eve (outsider) deny. End-to-end green on 2026-05-16: probe: steward-allow OK (check=true) probe: reader-allow OK (check=true) probe: outsider-deny OK (check=false) probe: all checks passed Key findings recorded as Implementation Notes in the spike doc: - Rego input contract bridging (Topaz raw shape ↔ flex-auth canonical shape) is adapter scope, not core scope. - Topaz identity objects are a Topaz convention; the adapter materializes them at directory import time. - Directory-only permission resolution is sufficient for the common case; Rego is reserved for context-dependent decisions. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-16 09:04:42 +02:00
parent 52b5575048
commit 82177d88a9
12 changed files with 897 additions and 1 deletions
--- a/examples/topaz/docker-compose.yml
+++ b/examples/topaz/docker-compose.yml
@@ -0,0 +1,68 @@
+# Runnable Topaz example for the flex-auth alignment spike.
+#
+# Boot order:
+#   1. topaz   — runs topazd with the spike config; serves authorizer
+#                on :8282 (gRPC) and :8383 (REST), directory on :9292
+#                (gRPC) and :9393 (REST), health on :9494.
+#   2. seed    — one-shot container that pushes the manifest and seeds
+#                directory objects/relations via REST. Exits on success.
+#   3. probe   — one-shot container that runs three authorizer checks
+#                (steward allow, reader allow, outsider deny) and exits
+#                non-zero if any decision is unexpected.
+#
+# Usage:
+#   docker compose up --abort-on-container-exit --exit-code-from probe
+#
+# See docs/topaz-mapping-spike.md and README.md.
+
+services:
+  topaz:
+    image: ghcr.io/aserto-dev/topaz:latest
+    command: ["run", "--config-file", "/cfg/config.yaml", "--bundle", "/bundle"]
+    ports:
+      - "127.0.0.1:8282:8282"  # authorizer gRPC
+      - "127.0.0.1:8383:8383"  # authorizer REST
+      - "127.0.0.1:9292:9292"  # directory gRPC
+      - "127.0.0.1:9393:9393"  # directory REST
+      - "127.0.0.1:9494:9494"  # health
+    volumes:
+      - ./cfg:/cfg:ro
+      - ./bundle:/bundle:ro
+      - topaz-db:/db
+      - topaz-certs:/certs
+    healthcheck:
+      # Topaz's image has no curl/wget; nc is in busybox. Probe TCP on
+      # the authorizer REST port — the gateway only listens once the
+      # backing gRPC service is ready.
+      test: ["CMD-SHELL", "nc -z 127.0.0.1 8383 || exit 1"]
+      interval: 2s
+      timeout: 2s
+      retries: 30
+
+  seed:
+    image: alpine:3.20
+    depends_on:
+      topaz:
+        condition: service_healthy
+    volumes:
+      - ./data:/data:ro
+      - ./scripts:/scripts:ro
+      - ./manifest.yaml:/manifest.yaml:ro
+    entrypoint: ["/bin/sh", "/scripts/seed.sh"]
+    environment:
+      DIRECTORY_REST: "http://topaz:9393"
+
+  probe:
+    image: alpine:3.20
+    depends_on:
+      seed:
+        condition: service_completed_successfully
+    volumes:
+      - ./scripts:/scripts:ro
+    entrypoint: ["/bin/sh", "/scripts/probe.sh"]
+    environment:
+      AUTHORIZER_REST: "http://topaz:8383"
+
+volumes:
+  topaz-db:
+  topaz-certs: