coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3c4f8fc2b44da625e18ee2ba32e724c3c19f8284
flex-auth/examples/topaz/manifest.yaml
tegwick 82177d88a9 Topaz alignment spike — mapping doc + green e2e example 
Closes FLEX-WP-0005 T04. Validates ADR-003's commitment to shape the
standalone core for cheap Topaz adapter work.

Spike output:
- docs/topaz-mapping-spike.md — vocabulary map (subject, group, tenant,
  knowledge_base, document, plus parent / owner_team / reader / steward /
  member relations), Rego module shape, decision envelope, wire-protocol
  ranking (gRPC primary, REST fallback, embedding rejected), schema
  restatement recommendation, implications for FLEX-WP-0002 / 0004.
- examples/topaz/ — runnable docker-compose deploying Topaz with the
  flex-auth-shaped manifest. seed and probe one-shots cover three
  scenarios: alice (steward) allow, bob (group→reader) allow, eve
  (outsider) deny. End-to-end green on 2026-05-16:

    probe: steward-allow OK (check=true)
    probe: reader-allow  OK (check=true)
    probe: outsider-deny OK (check=false)
    probe: all checks passed

Key findings recorded as Implementation Notes in the spike doc:
- Rego input contract bridging (Topaz raw shape ↔ flex-auth canonical
  shape) is adapter scope, not core scope.
- Topaz identity objects are a Topaz convention; the adapter
  materializes them at directory import time.
- Directory-only permission resolution is sufficient for the common
  case; Rego is reserved for context-dependent decisions.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-16 09:04:42 +02:00

50 lines
1.2 KiB
YAML
Raw Blame History

# Topaz v3 manifest for the flex-auth alignment spike.
#
# Mirrors flex-auth's canonical resource/subject/group/relation
# vocabulary, scoped to the subset the Markitect internal-document
# fixture exercises. Reference: docs/topaz-mapping-spike.md.
#
# Notes on Topaz syntax:
# - relations: union types only ( | ) and group-member shorthand ( # ).
# - permissions: also support the parent-walk operator ( -> ).
# yaml-language-server: $schema=https://www.topaz.sh/schema/manifest.json
---
model:
version: 3
types:
user:
relations:
manager: user
group:
relations:
member: user | group#member
tenant:
relations:
member: user | group#member
knowledge_base:
relations:
tenant: tenant
owner_team: group
reader: user | group#member
steward: user | group#member
permissions:
read: reader | steward
admin: steward
document:
relations:
parent: knowledge_base
owner_team: group
reader: user | group#member
steward: user | group#member
permissions:
read: reader | steward | parent->read
query: reader | steward | parent->read
search: reader | steward | parent->read
export: steward
admin: steward | parent->admin
Reference in New Issue View Git Blame Copy Permalink