#!/bin/sh # Probe the Topaz directory's Check API to verify the seeded manifest # correctly resolves reader/steward/outsider permissions for the # Markitect internal-document fixture. Exits 0 if all checks match # expectations. # # This probe deliberately uses the directory Check API rather than the # authorizer Is API. The manifest permissions are the substrate the # Topaz adapter (FLEX-WP-0004 T01) and the standalone evaluator both # consult; demonstrating it works end-to-end here is the spike's actual # validation question. Bridging flex-auth's Rego input shape into # Topaz's raw authorizer input is adapter work, intentionally out of # this spike's scope (see docs/topaz-mapping-spike.md ยง"Implementation # Notes"). set -eu apk add --no-cache curl jq >/dev/null DIR="${DIRECTORY_REST:-http://topaz:9393}" echo "probe: directory REST = $DIR" check() { name="$1" subject="$2" resource="$3" permission="$4" expect="$5" # "true" or "false" body=$(cat < $response" got=$(echo "$response" | jq -r '.check') if [ "$got" = "$expect" ]; then echo "probe: $name OK (check=$got)" else echo "probe: $name FAIL (check=$got; expected=$expect)" exit 1 fi } # Three scenarios on the seeded directory: # 1. Alice is a steward on the document, so read should be permitted. # 2. Bob is a member of reader:platform-architecture, which is the # reader on the document via subject_relation=member, so read should # be permitted via the reader|group#member union in the manifest. # 3. Eve has no relation to the document, so read should be denied. check "steward-allow" "alice@example.test" "document:internal-note" "read" "true" check "reader-allow" "bob@example.test" "document:internal-note" "read" "true" check "outsider-deny" "eve@example.test" "document:internal-note" "read" "false" echo "probe: all checks passed"