generated from coulomb/repo-seed
Topaz alignment spike — mapping doc + green e2e example
Closes FLEX-WP-0005 T04. Validates ADR-003's commitment to shape the
standalone core for cheap Topaz adapter work.
Spike output:
- docs/topaz-mapping-spike.md — vocabulary map (subject, group, tenant,
knowledge_base, document, plus parent / owner_team / reader / steward /
member relations), Rego module shape, decision envelope, wire-protocol
ranking (gRPC primary, REST fallback, embedding rejected), schema
restatement recommendation, implications for FLEX-WP-0002 / 0004.
- examples/topaz/ — runnable docker-compose deploying Topaz with the
flex-auth-shaped manifest. seed and probe one-shots cover three
scenarios: alice (steward) allow, bob (group→reader) allow, eve
(outsider) deny. End-to-end green on 2026-05-16:
probe: steward-allow OK (check=true)
probe: reader-allow OK (check=true)
probe: outsider-deny OK (check=false)
probe: all checks passed
Key findings recorded as Implementation Notes in the spike doc:
- Rego input contract bridging (Topaz raw shape ↔ flex-auth canonical
shape) is adapter scope, not core scope.
- Topaz identity objects are a Topaz convention; the adapter
materializes them at directory import time.
- Directory-only permission resolution is sufficient for the common
case; Rego is reserved for context-dependent decisions.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
49
examples/topaz/manifest.yaml
Normal file
49
examples/topaz/manifest.yaml
Normal file
@@ -0,0 +1,49 @@
|
||||
# Topaz v3 manifest for the flex-auth alignment spike.
|
||||
#
|
||||
# Mirrors flex-auth's canonical resource/subject/group/relation
|
||||
# vocabulary, scoped to the subset the Markitect internal-document
|
||||
# fixture exercises. Reference: docs/topaz-mapping-spike.md.
|
||||
#
|
||||
# Notes on Topaz syntax:
|
||||
# - relations: union types only ( | ) and group-member shorthand ( # ).
|
||||
# - permissions: also support the parent-walk operator ( -> ).
|
||||
# yaml-language-server: $schema=https://www.topaz.sh/schema/manifest.json
|
||||
---
|
||||
model:
|
||||
version: 3
|
||||
|
||||
types:
|
||||
user:
|
||||
relations:
|
||||
manager: user
|
||||
|
||||
group:
|
||||
relations:
|
||||
member: user | group#member
|
||||
|
||||
tenant:
|
||||
relations:
|
||||
member: user | group#member
|
||||
|
||||
knowledge_base:
|
||||
relations:
|
||||
tenant: tenant
|
||||
owner_team: group
|
||||
reader: user | group#member
|
||||
steward: user | group#member
|
||||
permissions:
|
||||
read: reader | steward
|
||||
admin: steward
|
||||
|
||||
document:
|
||||
relations:
|
||||
parent: knowledge_base
|
||||
owner_team: group
|
||||
reader: user | group#member
|
||||
steward: user | group#member
|
||||
permissions:
|
||||
read: reader | steward | parent->read
|
||||
query: reader | steward | parent->read
|
||||
search: reader | steward | parent->read
|
||||
export: steward
|
||||
admin: steward | parent->admin
|
||||
Reference in New Issue
Block a user