---
id: markitect.documents.internal-read
name: Markitect internal document read
namespace: markitect:document
version: v1
status: draft
package: flexauth.markitect.documents
actions:
  - read
owner: team:platform-architecture
fixtures:
  - policy_fixture.yaml
caring:
  profile: caring-0.4.0-rc2
  enforce: false
  canonical_roles:
    - Doer
  organization_relations:
    - Customer
  scopes:
    - level: Resource
      id: document:internal-note
      tenant: tenant:alpha
  planes:
    - Data
  capabilities:
    - View
  exposure_modes:
    - Masked
    - Plaintext
  conditions:
    - PurposeBound
    - Logged
  restrictions:
    - ExportBlocked
activation:
  mode: local
metadata:
  source: examples/caring/policy_package.md
---

# Markitect Internal Document Read

This package authorizes read access to an internal Markitect document when
the request carries a CARING descriptor for a customer Doer with View
capability on the document resource and an explicit ExportBlocked restriction.

## Rules

```rego
import future.keywords.if
import future.keywords.in

default decision := {"effect": "deny", "reason": "no_matching_rule"}

decision := {
  "effect": "allow",
  "reason": "reader_relation",
  "conformance_findings": [{
    "code": "CARING-EXPORT-SEPARATION",
    "severity": "info",
    "message": "View is allowed, but Exportable exposure remains separately blocked."
  }]
} if {
  input.action == "read"
  input.resource.system == "markitect-tool"
  input.resource.type == "document"
  input.caring_context.profile == "caring-0.4.0-rc2"
  input.caring_context.organization_relation == "Customer"
  input.caring_context.canonical_role == "Doer"
  "View" in input.caring_context.capabilities
  "ExportBlocked" in input.caring_context.restrictions
}
```

## Tests

```rego test
package flexauth.markitect.documents_test

import future.keywords.if
import data.flexauth.markitect.documents

test_reader_relation_allows if {
  documents.decision.effect == "allow" with input as {
    "action": "read",
    "resource": {
      "id": "document:internal-note",
      "type": "document",
      "system": "markitect-tool",
      "tenant": "tenant:alpha"
    },
    "caring_context": {
      "profile": "caring-0.4.0-rc2",
      "organization_relation": "Customer",
      "canonical_role": "Doer",
      "capabilities": ["View"],
      "restrictions": ["ExportBlocked"]
    }
  }
}

test_missing_caring_context_denies if {
  documents.decision.effect == "deny" with input as {
    "action": "read",
    "resource": {
      "id": "document:internal-note",
      "type": "document",
      "system": "markitect-tool",
      "tenant": "tenant:alpha"
    }
  }
}
```

## Fixtures

```yaml fixture
id: fixture:markitect-internal-read-deny
request:
  id: check:tenant-alpha-internal-note-deny
  subject:
    id: user:bob
    type: Human
    tenant: tenant:alpha
  action: read
  resource:
    id: document:internal-note
    type: document
    system: markitect-tool
    tenant: tenant:alpha
expect:
  effect: deny
  reason: no_matching_rule
metadata:
  source: examples/caring/policy_package.md
```