coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
12c4bed6f4309d0e423b1fdc498ebbed35e2e2ec
flex-auth/docs/markitect-integration-flow.md
tegwick 184ce5a380
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details
Document Markitect integration flow
2026-05-17 06:41:07 +02:00

120 lines
4.3 KiB
Markdown
Raw Blame History

# Markitect Integration Flow
This document describes how Markitect should use flex-auth as its first
protected-system consumer integration.
## 1. Publish Resources
Markitect emits a `FlexAuthResourceManifest` for each knowledge base or
resource slice it wants flex-auth to authorize. The emitted manifest should use
the namespace in `docs/markitect-resource-namespace.md` and include:
- stable resource ids such as `document:internal-note`
- resource type and parent links
- path, labels, trust zone, owner, and durable backend metadata
- `metadata.flex_auth_contract: resource-registration-v0`
- `caring_profile: caring-0.4.0-rc2` when the emitter can provide it
flex-auth imports the manifest through `internal/markitect.ImportResourceManifest`.
The importer enriches resources with CARING scope and plane classification and
returns diagnostics when a resource type, trust zone, label set, or CARING
profile is missing or ambiguous.
## 2. Submit Check Requests
For one resource, Markitect submits `CheckRequest`:
```text
subject + action + resource + context + optional caring_context
```
For repeated checks, Markitect submits `BatchCheckRequest` with the same
subject/action/context and a resource list. Resource order is preserved in the
response.
Markitect should pass local frontmatter and backend metadata as resource
attributes when they affect policy:
- `labels`
- `trust_zone`
- `markitect_path`
- `frontmatter_visibility`
- `source_revision`
- `workflow_state`
- `freshness_seconds`
- `data_classes`
Subject roles and groups should be normalized into subject attributes or loaded
into the registry as subject/group/team manifests. CARING dimensions should be
attached as `caring_context` when Markitect already knows the intended
descriptor; otherwise flex-auth can derive descriptors from relationship facts.
## 3. Enforce Decisions
Markitect maps flex-auth decision envelopes into its gateway contract with
`internal/markitect.ToGatewayDecision`.
Expected effects:
- `allow`: render, answer, package, activate, export, or run workflow.
- `deny`: block the operation.
- `redact`: continue with returned obligations such as `mask_fields`.
- `audit_denied`: block or quarantine while preserving an audit-grade record.
Markitect should enforce obligations before exposing data. For example, a
`mask_fields` obligation must be applied before rendering or model use, and a
`record_context_activation` obligation must be logged when a context package is
activated.
## 4. Record Decision IDs
Every gateway operation should persist the flex-auth decision id alongside the
Markitect request id, workflow id, rendered artifact id, or export id.
At minimum, always record:
- denies
- redactions
- exports
- context package activations
- workflow runs
- support, break-glass, or other CARING exposure events
The local flex-auth JSONL log is suitable for local development. Markitect may
also write the same decision id into its own event log.
## 5. Explain Decisions
When users need an explanation, Markitect can call flex-auth `explain` or use
the decision id to retrieve the persisted envelope and project it with
`ToGatewayDecision`.
Explanations should preserve CARING language:
- subject relation and canonical role, for example `Customer Doer`
- scope, for example `Resource document:internal-note`
- plane, for example `Data`
- capability, for example `View` or `Export`
- exposure mode, for example `Masked`, `Plaintext`, or `Exportable`
- restrictions, conditions, and conformance findings
Example explanation:
```text
Customer Doer may View Data Plane resource document:internal-note because reader_group.
```
## Local Mapping Summary
| Markitect local concept | flex-auth field | CARING dimension |
| --- | --- | --- |
| frontmatter visibility | `resource.attributes.frontmatter_visibility` | Exposure mode hint |
| document labels | `resource.attributes.labels` | Scope and exposure hint |
| owner/steward | `resource.owner`, subject groups/roles | Canonical role and relation |
| workflow state | `resource.attributes.workflow_state`, request context | Lifecycle/condition hint |
| context freshness | `request.context.freshness_seconds` | Condition and conformance finding |
| export request | `action: export` | `Export` capability and `Exportable` exposure |
The examples in `examples/markitect/` are the executable contract fixtures for
this flow.
Reference in New Issue View Git Blame Copy Permalink