# Topaz v3 manifest for the flex-auth alignment spike.
#
# Mirrors flex-auth's canonical resource/subject/group/relation
# vocabulary, scoped to the subset the Markitect internal-document
# fixture exercises. Reference: docs/topaz-mapping-spike.md.
#
# Notes on Topaz syntax:
#  - relations: union types only ( | ) and group-member shorthand ( # ).
#  - permissions: also support the parent-walk operator ( -> ).
# yaml-language-server: $schema=https://www.topaz.sh/schema/manifest.json
---
model:
  version: 3

types:
  user:
    relations:
      manager: user

  identity:
    relations:
      identifier: user

  group:
    relations:
      member: user | group#member

  tenant:
    relations:
      member: user | group#member

  knowledge_base:
    relations:
      tenant: tenant
      owner_team: group
      reader: user | group#member
      steward: user | group#member
    permissions:
      read: reader | steward
      admin: steward

  document:
    relations:
      parent: knowledge_base
      owner_team: group
      reader: user | group#member
      steward: user | group#member
    permissions:
      read: reader | steward | parent->read
      query: reader | steward | parent->read
      search: reader | steward | parent->read
      export: steward
      admin: steward | parent->admin