coulomb/flex-auth

Fork 0

generated from coulomb/repo-seed

Files

tegwick 18054bd160

CI / Build and Test (push) Has been cancelled

Details

CI / Lint (push) Has been cancelled

Details

Add CARING examples and coverage

2026-05-17 06:05:18 +02:00

2.5 KiB

Raw Blame History

id, name, namespace, version, status, package, actions, owner, caring, metadata

name

namespace

version

status

package

actions

owner

caring

metadata

markitect.documents.mask-pii

Markitect masked PII read

markitect:document

draft

flexauth.markitect.redact

read

team:project-reviewers

profile

enforce

canonical_roles

organization_relations

scopes

planes

capabilities

exposure_modes

conditions

restrictions

caring-0.4.0-rc2

false

Verifier

Customer

level	id	tenant
Resource	document:alpha-plan	tenant:alpha

Data

View

Mask

Masked

Logged

ExportBlocked

source
examples/caring/redact_policy_package.md

Markitect Masked PII Read

This package returns a redaction decision when a verifier may inspect a document only through masked fields.

Rules

import future.keywords.if
import future.keywords.in

default decision := {"effect": "deny", "reason": "no_matching_rule"}

decision := {
  "effect": "redact",
  "reason": "masked_pii",
  "obligations": [{
    "type": "mask_fields",
    "parameters": {"fields": ["email", "phone"]}
  }]
} if {
  input.action == "read"
  input.resource.id == "document:alpha-plan"
  "Mask" in input.caring_context.capabilities
  "Masked" in input.caring_context.exposure_modes
}

Tests

package flexauth.markitect.redact_test

import future.keywords.if
import data.flexauth.markitect.redact

test_masked_reader_gets_redaction if {
  redact.decision.effect == "redact" with input as {
    "action": "read",
    "resource": {"id": "document:alpha-plan"},
    "caring_context": {
      "capabilities": ["View", "Mask"],
      "exposure_modes": ["Masked"]
    }
  }
}

Fixtures

id: fixture:masked-pii-redact
request:
  id: check:masked-pii
  subject:
    id: user:bob
    type: Human
    tenant: tenant:alpha
  action: read
  resource:
    id: document:alpha-plan
    type: document
    system: markitect-tool
    tenant: tenant:alpha
  caring_context:
    id: descriptor:tenant-alpha-masked-pii-reviewer
    profile: caring-0.4.0-rc2
    subject_type: Human
    organization_relation: Customer
    canonical_role: Verifier
    scope:
      level: Resource
      id: document:alpha-plan
      tenant: tenant:alpha
      resource: document:alpha-plan
    planes:
      - Data
    capabilities:
      - View
      - Mask
    exposure_modes:
      - Masked
    conditions:
      - Logged
    restrictions:
      - ExportBlocked
expect:
  effect: redact
  reason: masked_pii
  obligations:
    - type: mask_fields
      parameters:
        fields:
          - email
          - phone

2.5 KiB Raw Blame History

Markitect Masked PII Read

Rules

Tests

Fixtures

2.5 KiB

Raw Blame History