CMIS layer into an honest CMIS 1.1

docs/cmis-compliance-assessment.md

@@ -1,8 +1,9 @@
 # CMIS Compliance Assessment
 
-Date: 2026-05-06
+Date: 2026-05-07
 
-Status: planning baseline for CMIS compliance and access-point implementation.
+Status: Browser Binding subset implemented with conservative CMIS capability
+flags and explicit unsupported diagnostics.
 
 ## Reference Standard
 
@@ -42,35 +43,36 @@ Practical strategy:
 
 | CMIS capability | Current engine availability | Gap | Demand |
 | --- | --- | --- | --- |
-| Repository service | Service health/version, runtime repository state, capability catalogs. | Need CMIS repository info, repository IDs, root folder IDs, capability flags, type summaries. | Low |
-| Type definitions | Asset classifications, metadata schemas, relationship target kinds. | Need CMIS base types, property definitions, type mutability flags, secondary type projection. | Medium |
-| Navigation service | Relationships and context graph exist, but no folder tree model. | Need root folder, folder children, descendants/tree, parent relationships, path semantics. | High |
-| Object service read | Assets, metadata, representations, content refs, audit, versions exist. | Need CMIS object envelopes, allowable actions, path/object-id lookup, property filters, rendition/content stream response shape. | Medium |
-| Object service write | Asset create, metadata add, lifecycle transition, relationship create, ingestion. | Need createDocument/createFolder/updateProperties/deleteObject/moveObject mapping and CMIS change tokens. | High |
-| Content streams | Source, normalized, derived representations store content hashes and storage refs. | Need getContentStream/setContentStream/deleteContentStream/appendContentStream semantics and streaming endpoints. | Medium-High |
-| Versioning | Asset versions and transformation/workflow lineage exist. | Need CMIS checkout, PWC, checkin, cancelCheckout, version series semantics, latest/major flags. | High |
-| Discovery/query | Governed retrieval, lexical search, filters, relationships. | Need CMIS SQL-like query grammar or supported subset, query result shape, joins/capability flags. | High |
-| Relationships | Core relationships exist. | Need CMIS relationship object mapping and relationship type capability exposure. | Medium |
-| ACL service | Policy gateway and authorization decisions exist. | Need CMIS ACL model, principals, direct/inherited ACEs, applyACL, exact capability flags. | High |
-| Policy service | Policy decisions and governance reports exist. | Need CMIS policy objects/applyPolicy/removePolicy/getAppliedPolicies mapping or explicit unsupported profile. | Medium |
-| Change log | Audit events and correlation IDs exist. | Need CMIS change events, change tokens, object change entries, paging. | Medium |
-| Multi-filing/unfiling | Not modeled directly. | Need folder membership model or profile-level unsupported flags. | High if full support, Low if unsupported |
-| Renditions | Representations exist, no rendition taxonomy. | Need rendition metadata and stream mapping for thumbnails/previews. | Medium |
-| Retention and hold | Metadata/governance hooks exist, no first-class legal hold model. | Need retention/hold capabilities, apply/remove hold, retention date semantics. | High for full support |
-| Bulk update | Metadata update pathways exist. | Need bulkUpdateProperties semantics, partial failure reporting, change tokens. | Medium |
+| Repository service | Implemented. | Repository info includes CMIS 1.1 identity, complete conservative optional capability flags, repository features, and unsupported feature diagnostics. | Low |
+| Type definitions | Implemented subset. | Base type projections exist; type mutability, CMIS versioning, folder ACL control, and non-document querying are explicitly not advertised. | Low |
+| Navigation service | Implemented subset. | `getChildren` and projected parents are supported. `getDescendants`, `getFolderTree`, mutating multifiling, and unfiling are explicitly flagged unsupported. | Low unless full folder tree is required |
+| Object service read | Implemented subset. | Object envelopes, allowable actions, content stream descriptors, content stream properties, visibility redaction, and relationship IDs are covered. | Low |
+| Object service write | Governed subset. | `createDocument`, custom metadata updates, `setContentStream`, and delete-request lifecycle transition are supported by authoring profiles. Unsupported standard property updates now fail with diagnostics. | Medium |
+| Content streams | Implemented subset. | Descriptor and byte-stream routes exist; `setContentStream` writes through deduplicating blob storage. Append/delete content stream are unsupported. | Low |
+| Versioning | Projection only. | Latest-version properties can be projected from engine versions, but CMIS checkout/PWC/all-versions services are not advertised. | Low if unsupported remains acceptable |
+| Discovery/query | Implemented narrow subset. | `SELECT * FROM cmis:document` and `SELECT * FROM kontextual:document` are supported. Joins, order-by, full CMIS SQL predicates, and full-text are flagged unsupported. | Medium |
+| Relationships | Implemented subset. | Relationship object projections and source filters are covered and profile-gated. | Low |
+| ACL service | Discover only. | ACL projection is supported; `applyACL` is not authorized even for authoring profiles and returns an unimplemented diagnostic. | Low |
+| Policy service | Unsupported. | `applyPolicy`/`removePolicy` are explicitly unsupported; engine policy remains native, not CMIS policy objects. | Low |
+| Change log | Implemented subset. | Audit-backed object-id change entries and paging are supported; full property-level change details are not advertised. | Low |
+| Multi-filing/unfiling | Projection only. | Multiple virtual parents are exposed as a Kontextual repository feature, while CMIS `capabilityMultifiling` and unfiling stay false. | Low |
+| Renditions | Unsupported. | Capability is `none`; derived representations are not exposed as CMIS rendition streams. | Low |
+| Retention and hold | Unsupported. | Not advertised; left as native governance metadata until a real integration requires CMIS legal-hold semantics. | Low |
+| Bulk update | Unsupported. | `bulkUpdateProperties` is explicitly unsupported. | Low |
 | Browser JSON binding | FastAPI JSON service already exists. | Need CMIS Browser Binding routes, selectors/actions, multipart/content stream behavior. | High |
 | AtomPub binding | No AtomPub/XML binding. | Need XML/Atom feed generation and protocol semantics. | Very High |
 | Web Services binding | No SOAP stack. | Need WSDL/SOAP implementation. | Very High |
 
 ## Recommended Compliance Profile Strategy
 
-Start with a constrained CMIS 1.1 Browser Binding profile:
+Maintain a constrained CMIS 1.1 Browser Binding profile:
 
 - Repository, type, object read, content stream read, query subset,
   relationships, change log, and navigation over a synthetic root/folder
   projection.
-- Explicitly unsupported or read-only: AtomPub, Web Services, full ACL mutation,
-  retention/hold, multifiling/unfiling, and full CMIS SQL joins.
+- Explicitly unsupported or read-only: AtomPub, Web Services, descendants/tree,
+  full ACL mutation, retention/hold, mutating multifiling/unfiling, PWC/versioning
+  services, renditions, bulk updates, order-by, and full CMIS SQL joins.
 
 Then expand by profile:
 
@@ -83,11 +85,12 @@ Then expand by profile:
 
 ## Risk Summary
 
-The engine already has strong foundations for asset identity, metadata,
-representations, relationships, versions, audit, policy, retrieval, and
-service APIs. The hard parts are not storage; they are CMIS protocol semantics:
-folder/path behavior, versioning/PWC semantics, CMIS query grammar, ACL shape,
-content stream actions, and binding-specific compatibility.
+The engine has a sound Browser Binding subset so long as clients trust the
+advertised capabilities instead of assuming broad ECM behavior. The remaining
+hard parts are optional CMIS semantics that we intentionally do not advertise:
+folder tree/descendant services, mutating filing services, PWC/versioning
+services, broad query grammar, ACL mutation, renditions, retention/hold, and
+legacy bindings.
 
 Best estimate:
 

docs/cmis-compliance-test-foundation.md

@@ -2,7 +2,7 @@
 
 Date: 2026-05-06
 
-Status: initial test foundation established for CMIS access-point work.
+Status: active fixture foundation with conservative capability-flag tests.
 
 ## Purpose
 
@@ -57,7 +57,9 @@ Validates:
 
 - root folder children,
 - folder path lookup,
-- getChildren/getDescendants/getFolderTree,
+- getChildren,
+- projection-only parent folders,
+- explicit unsupported flags for getDescendants and getFolderTree,
 - profile restrictions on folder visibility.
 
 ### Object And Content Stream Service
@@ -91,8 +93,8 @@ Validates:
 
 - version series projection,
 - latest version flags,
-- checkout/checkin unsupported or supported per profile,
-- version history listing.
+- checkout/checkin/PWC unsupported diagnostics,
+- all-versions search unsupported flags.
 
 ### Discovery Query Service
 
@@ -108,7 +110,7 @@ Validates:
 - query capability flags,
 - supported subset behavior,
 - paging,
-- error diagnostics for unsupported grammar.
+- error diagnostics for unsupported grammar, joins, and ordering.
 
 ### Relationship Service
 
@@ -138,7 +140,7 @@ Validates:
 
 - allowable actions,
 - ACL projection,
-- applyACL/applyPolicy supported or unsupported by profile,
+- applyACL/applyPolicy unsupported diagnostics,
 - no protected metadata leakage on denial.
 
 ### Change Log Events
@@ -171,7 +173,7 @@ Fixtures:
 Validates:
 
 - explicit capability flags,
-- supported subset behavior,
+- unsupported capability diagnostics,
 - structured unsupported-operation diagnostics.
 
 ## Capability Profile Test Matrix

docs/cmis-deployment-compatibility.md

@@ -2,7 +2,8 @@
 
 Date: 2026-05-07
 
-Status: Browser Binding MVP implemented with profiled access points.
+Status: Browser Binding subset implemented with profiled access points,
+conservative capability flags, and explicit unsupported diagnostics.
 
 ## Endpoint Setup
 
@@ -62,7 +63,9 @@ Actor context is passed through the existing service headers, especially:
 | Browser Binding repository info | yes | yes | yes | yes |
 | Type definitions | yes | yes | yes | yes |
 | Synthetic navigation | yes | yes | yes | yes |
-| Projection-only multifiling | yes | yes | yes | yes |
+| Projection-only parent maps | yes | yes | yes | yes |
+| CMIS `capabilityMultifiling` | no | no | no | no |
+| Descendants/folder tree services | no | no | no | no |
 | Object reads | yes | yes | yes | yes |
 | Content stream descriptors | yes | yes | yes | yes |
 | ACL projection | discover | discover | discover | discover |
@@ -70,7 +73,7 @@ Actor context is passed through the existing service headers, especially:
 | Change log projection | yes | yes | yes | yes |
 | Query subset | document select only | document select only | document select only | document select only |
 | Create document | no | yes | no | yes |
-| Update properties | no | yes | no | yes |
+| Update properties | no | custom metadata only | no | custom metadata only |
 | Set content stream | no | yes | no | yes |
 | Delete object | no | delete-request lifecycle transition | no | delete-request lifecycle transition |
 | Confidential/restricted visibility | hidden | hidden | service-account visible | hidden |
@@ -104,6 +107,7 @@ It is not yet suitable for clients that require:
 
 - AtomPub,
 - SOAP/Web Services,
+- `getDescendants` or `getFolderTree`,
 - full CMIS SQL,
 - mutating multifiling/unfiling,
 - private-working-copy semantics,
@@ -111,7 +115,7 @@ It is not yet suitable for clients that require:
 - rendition streams,
 - bulk update properties,
 - apply/remove policy,
-- strict byte-stream download semantics instead of content stream descriptors.
+- standard CMIS property mutation beyond `kontextual:metadata:<key>`.
 
 ## Optional OpenCMIS TCK
 
@@ -134,13 +138,15 @@ capability groups before treating them as implementation bugs.
 ## Operational Notes
 
 - Hidden objects should be treated as not found by CMIS clients.
-- Multifiling is projection-only: assets may appear under multiple derived
-  folder paths without changing canonical asset identity.
+- Multiple parent folders are projection-only: assets may appear under several
+  derived folder paths without changing canonical asset identity. The standard
+  CMIS multifiling capability is advertised as unsupported because no
+  add/remove filing mutation service is exposed.
 - Relationship and change-log responses are filtered through the same visibility
   gates as object reads.
 - Mutations always pass through engine services and produce normal engine audit
   events.
-- Delete is currently a governed lifecycle transition to `delete_requested`,
-  not physical removal.
+- Delete is a governed lifecycle transition to `delete_requested`; after the
+  transition the object is no longer exposed through CMIS reads.
 - Compatibility should be discussed per profile and per client rather than as a
   repo-wide binary property.

docs/cmis-profiled-access-points-implementation.md

@@ -2,7 +2,7 @@
 
 Date: 2026-05-06
 
-Status: Browser Binding MVP implemented.
+Status: Browser Binding subset implemented and capability-hardened.
 
 ## Implemented Slice
 
@@ -61,6 +61,11 @@ model.
 - relationship primitives as CMIS relationship objects,
 - profile-derived allowable actions.
 
+Repository info now uses conservative standard CMIS flags: optional services we
+do not implement are advertised as `false` or `none`, while Kontextual-specific
+projection behavior is exposed through repository feature metadata and an
+unsupported-feature catalog.
+
 The mapper returns `None` for assets or relationships that the access-point
 profile must not expose. It does not fetch from repositories directly; callers
 provide the asset, representations, versions, metadata records, and
@@ -105,6 +110,10 @@ These routes delegate to existing engine services:
 Read-only profiles reject the same mutations with CMIS-shaped authorization
 diagnostics before touching engine services.
 
+The authoring slice intentionally supports only `kontextual:metadata:<key>`
+property updates. Attempts to update standard `cmis:*` properties return
+structured validation diagnostics instead of being silently ignored.
+
 ## ACL And Redaction Slice
 
 The Browser Binding adapter now projects profile-derived ACLs through
@@ -122,7 +131,7 @@ asset IDs through relationship targets or audit-backed change entries.
 
 ## Projection-Only Multifiling
 
-CMIS navigation now supports projection-only multifiling. The same asset can be
+CMIS navigation now supports projection-only parent maps. The same asset can be
 listed under several derived folder paths, including source system, topics,
 owner, lifecycle, and asset type. These folders are navigation projections; they
 do not duplicate assets and do not become canonical storage locations.
@@ -131,6 +140,10 @@ do not duplicate assets and do not become canonical storage locations.
 parent folders for one asset. `GET /cmis/{access_point_id}/browser/children`
 supports folder-scoped navigation through those projected paths.
 
+The standard CMIS `capabilityMultifiling` flag remains `false` because the
+engine does not expose mutating filing services such as `addObjectToFolder` or
+`removeObjectFromFolder`.
+
 ## Fixture And Optional TCK Integration
 
 CMIS fixtures now act as active compatibility contracts: