package flexauth.markitect.documents

import future.keywords.if
import future.keywords.in

# This module is the Rego extracted from a flex-auth Rego-in-Markdown
# policy package (ADR-002). Identical bytes ship to the standalone
# evaluator and to Topaz; only the resolution of ds.* differs.
#
# Decision shape per ADR-002:
#   decision := {"effect": "...", "reason": "...", "obligations": [...]}
# flex-auth wraps this into the canonical decision envelope.

default decision := {"effect": "deny", "reason": "no_matching_rule"}

# Reader on the document (direct or via group, or inherited from the
# parent knowledge_base) is allowed to read/query/search.
decision := {"effect": "allow", "reason": "reader_relation"} if {
	input.action in {"read", "query", "search"}
	input.resource.type == "document"
	is_reader
}

# A steward on the document or parent may always read and may also
# export (which carries an audit-export obligation).
decision := {"effect": "allow", "reason": "steward_role"} if {
	input.action in {"read", "query", "search"}
	input.resource.type == "document"
	is_steward
}

decision := {
	"effect": "allow",
	"reason": "steward_export",
	"obligations": [{"type": "record_export_receipt"}],
} if {
	input.action == "export"
	input.resource.type == "document"
	is_steward
}

# Helpers — these consult the directory shim (standalone) or Topaz's
# ds.* builtins (delegated). The standalone evaluator registers
# ds.check_relation / ds.check_permission with identical signatures.

is_reader if {
	ds.check_relation({
		"object_type": "document",
		"object_id": input.resource.id,
		"relation": "reader",
		"subject_type": "user",
		"subject_id": input.subject.id,
	})
}

is_steward if {
	ds.check_relation({
		"object_type": "document",
		"object_id": input.resource.id,
		"relation": "steward",
		"subject_type": "user",
		"subject_id": input.subject.id,
	})
}