CMIS compliance/test foundation

This commit is contained in:
2026-05-07 00:35:33 +02:00
parent 28420c68d1
commit 241522e74d
14 changed files with 1080 additions and 12 deletions

View File

@@ -2,7 +2,7 @@
Date: 2026-05-06
Status: planned test foundation for CMIS access-point work.
Status: initial test foundation established for CMIS access-point work.
## Purpose
@@ -17,9 +17,9 @@ harness.
Planned harness shape:
- `tests/cmis/examples/` contains deterministic fixture descriptions grouped by
CMIS service capability.
- `tests/cmis/test_cmis_contract_examples.py` validates mapper and profile
- `examples/cmis/` contains deterministic fixture descriptions grouped by CMIS
service capability.
- `tests/cmis/test_cmis_contract_examples.py` validates fixture and profile
behavior without external Java dependencies.
- `tests/cmis/opencmis-tck/` contains optional harness config, Maven
invocation notes, and selected TCK group mapping.
@@ -188,3 +188,10 @@ Validates:
No current OASIS certification service was identified during planning. The
practical reusable foundation is OpenCMIS TCK/Workbench, plus our own
capability-profile contract tests.
## Established Artifacts
- `examples/cmis/capability-fixtures.json`
- `tests/cmis/test_cmis_contract_examples.py`
- `tests/cmis/opencmis-tck/README.md`
- `docs/cmis-readiness-gate.md`

View File

@@ -0,0 +1,48 @@
# CMIS Profiled Access Points Implementation
Date: 2026-05-06
Status: first implementation slice started.
## Implemented Slice
`src/kontextual_engine/core/cmis.py` defines the CMIS profile and access-point
boundary used by the future API adapter:
- `CMISBinding`
- `CMISCapability`
- `CMISAction`
- `CMISAccessProfile`
- `CMISAccessPoint`
The layer is intentionally small. It decides whether a CMIS action is allowed
for a profile and whether an engine asset may be exposed through an access
point. It does not implement CMIS routes and does not duplicate asset storage,
metadata, relationship, policy, or audit services.
## Built-In Profiles
- `readonly-browser`: Browser Binding read profile over public/internal assets.
- `governed-authoring`: Browser Binding profile with selected create/update
and content stream mutations.
- `admin-export`: service-account-only export profile with broad visibility.
- `compat-tck`: Browser Binding profile intended for selected OpenCMIS TCK
compatibility tests.
## Enforcement Boundary
Profiles can restrict exposure by:
- CMIS capability,
- mutation allowance,
- actor type,
- sensitivity,
- asset type,
- topic,
- source system,
- metadata deny rules.
Decisions return existing `PolicyDecision` objects so later CMIS routes can
emit compatible diagnostics and audit records without inventing another policy
model.

View File

@@ -0,0 +1,37 @@
# CMIS Implementation Readiness Gate
Date: 2026-05-06
Status: ready for `KONT-WP-0012` implementation planning.
## Required Before Implementation
- CMIS target version is fixed at OASIS CMIS 1.1.
- Browser Binding is the first implementation target.
- AtomPub and Web Services bindings are explicitly deferred.
- Capability examples are grouped in `examples/cmis/capability-fixtures.json`.
- Internal fixture contract tests validate profile expectations.
- OpenCMIS TCK is documented as an optional external harness.
- The first implementation profile is constrained to profile-scoped Browser
Binding behavior rather than full CMIS certification claims.
## First Implementation Slice
Implement the profile and mapper layer before routes:
1. Profile model and access-point configuration.
2. CMIS object/type/capability projection over existing engine services.
3. Profile-scoped visibility denial and mutation policy.
4. Browser Binding read routes.
5. Governed mutation routes.
6. Optional OpenCMIS TCK compatibility profile.
## Non-Goals For The First Slice
- Full AtomPub support.
- Full SOAP/Web Services support.
- Full CMIS SQL grammar.
- Full private-working-copy versioning semantics.
- Legal hold or retention mutation semantics.
- General-purpose CMIS certification claim.