---
id: markitect.gateway.check-fixtures
name: Markitect gateway check fixtures
namespace: markitect:gateway
version: v1
status: draft
package: flexauth.markitect.gateway
actions:
  - read
  - export
  - activate_context
owner: team:platform-architecture
fixtures:
  - check_fixtures.yaml
caring:
  profile: caring-0.4.0-rc2
  enforce: false
  canonical_roles:
    - Doer
    - Maintainer
    - Verifier
  organization_relations:
    - Customer
  scopes:
    - level: Resource
      id: document:public-note
      tenant: tenant:alpha
    - level: Resource
      id: document:internal-note
      tenant: tenant:alpha
    - level: Dataset
      id: context-package:internal-note-review
      tenant: tenant:alpha
  planes:
    - Intent
    - Data
    - Audit
  capabilities:
    - View
    - Export
    - Use
    - Execute
  exposure_modes:
    - Metadata
    - Masked
    - Plaintext
    - Exportable
  conditions:
    - MFARequired
    - PurposeBound
    - Logged
  restrictions:
    - ExportBlocked
metadata:
  source: examples/markitect/check_policy_package.md
---

# Markitect Gateway Check Fixtures

This package captures the first Markitect gateway scenarios as executable Rego
and external fixtures.

## Rules

```rego
import future.keywords.if
import future.keywords.in

default decision := {"effect": "deny", "reason": "no_matching_rule"}

decision := {"effect": "allow", "reason": "public_document"} if {
  input.action == "read"
  input.resource.type == "document"
  "public" in object.get(input.resource.attributes, "labels", [])
}

decision := {"effect": "allow", "reason": "reader_group"} if {
  input.action == "read"
  input.resource.type == "document"
  "internal" in object.get(input.resource.attributes, "labels", [])
  "group:platform-architecture" in object.get(input.subject.attributes, "groups", [])
  "View" in input.caring_context.capabilities
}

decision := {
  "effect": "allow",
  "reason": "steward_export_mfa",
  "conformance_findings": [{
    "code": "MARKITECT-EXPORT-MFA-LOGGED",
    "severity": "info",
    "message": "Export is allowed only with steward role, MFA, and logging."
  }]
} if {
  input.action == "export"
  "steward" in object.get(input.subject.attributes, "roles", [])
  input.context.mfa == true
  "Export" in input.caring_context.capabilities
  "Exportable" in input.caring_context.exposure_modes
}

decision := {
  "effect": "allow",
  "reason": "fresh_context_package",
  "obligations": [{
    "type": "record_context_activation",
    "parameters": {"freshness_seconds": input.context.freshness_seconds}
  }],
  "conformance_findings": [{
    "code": "MARKITECT-CONTEXT-FRESHNESS",
    "severity": "info",
    "message": "Context package activation includes policy version and freshness metadata."
  }]
} if {
  input.action == "activate_context"
  input.resource.type == "context_package"
  input.policy_version != ""
  input.context.freshness_seconds <= 900
  "Use" in input.caring_context.capabilities
  "Execute" in input.caring_context.capabilities
}
```

## Tests

```rego test
package flexauth.markitect.gateway_test

import future.keywords.if
import data.flexauth.markitect.gateway

test_public_document_allows if {
  gateway.decision.effect == "allow" with input as {
    "action": "read",
    "resource": {
      "type": "document",
      "attributes": {"labels": ["public"]}
    }
  }
}

test_export_requires_mfa if {
  gateway.decision.effect == "deny" with input as {
    "action": "export",
    "subject": {"attributes": {"roles": ["steward"]}},
    "context": {"mfa": false},
    "caring_context": {
      "capabilities": ["Export"],
      "exposure_modes": ["Exportable"]
    }
  }
}
```