kontextual-engine/docs/cmis-profiled-access-points-implementation.md

CMIS Profiled Access Points Implementation

Date: 2026-05-06

Status: first implementation slice started.

Implemented Slice

src/kontextual_engine/core/cmis.py defines the CMIS profile and access-point boundary used by the future API adapter:

• CMISBinding
• CMISCapability
• CMISAction
• CMISAccessProfile
• CMISAccessPoint

The layer is intentionally small. It decides whether a CMIS action is allowed for a profile and whether an engine asset may be exposed through an access point. It does not implement CMIS routes and does not duplicate asset storage, metadata, relationship, policy, or audit services.

Built-In Profiles

• readonly-browser: Browser Binding read profile over public/internal assets.
• governed-authoring: Browser Binding profile with selected create/update and content stream mutations.
• admin-export: service-account-only export profile with broad visibility.
• compat-tck: Browser Binding profile intended for selected OpenCMIS TCK compatibility tests.

Enforcement Boundary

Profiles can restrict exposure by:

• CMIS capability,
• mutation allowance,
• actor type,
• sensitivity,
• asset type,
• topic,
• source system,
• metadata deny rules.

Decisions return existing PolicyDecision objects so later CMIS routes can emit compatible diagnostics and audit records without inventing another policy model.