6.4 KiB
CMIS Compliance Assessment
Date: 2026-05-06
Status: planning baseline for CMIS compliance and access-point implementation.
Reference Standard
Target CMIS version: OASIS Content Management Interoperability Services Version 1.1, OASIS Standard, approved 23 May 2013, including approved errata where applicable.
CMIS defines a domain model plus Web Services, AtomPub, and Browser JSON bindings for one or more content repositories. The standard explicitly allows a CMIS endpoint to expose more than one repository and does not require every underlying content-management feature to be represented through CMIS.
Reusable Validation Foundation
Primary reusable validation candidate: Apache Chemistry OpenCMIS TCK and CMIS Workbench.
OpenCMIS provides client libraries, server frameworks, development tools,
InMemory/FileShare reference repositories, and TCK artifacts. The project pages
now indicate the project is retired, so we should treat OpenCMIS as a legacy
compatibility validation tool rather than a moving dependency. The Maven
artifact org.apache.chemistry.opencmis:chemistry-opencmis-test-tck:1.1.0
remains available and should be used as the first external conformance harness.
Practical strategy:
- Build local, deterministic example fixtures grouped by CMIS service capability.
- Build internal contract tests that validate our mapper and profile behavior without Java tooling.
- Add an optional external TCK harness that can run OpenCMIS TCK against a running CMIS access point when Java/Maven are available.
- Keep TCK execution optional in the default Python suite to avoid turning the engine into a Java project.
Capability Assessment
| CMIS capability | Current engine availability | Gap | Demand |
|---|---|---|---|
| Repository service | Service health/version, runtime repository state, capability catalogs. | Need CMIS repository info, repository IDs, root folder IDs, capability flags, type summaries. | Low |
| Type definitions | Asset classifications, metadata schemas, relationship target kinds. | Need CMIS base types, property definitions, type mutability flags, secondary type projection. | Medium |
| Navigation service | Relationships and context graph exist, but no folder tree model. | Need root folder, folder children, descendants/tree, parent relationships, path semantics. | High |
| Object service read | Assets, metadata, representations, content refs, audit, versions exist. | Need CMIS object envelopes, allowable actions, path/object-id lookup, property filters, rendition/content stream response shape. | Medium |
| Object service write | Asset create, metadata add, lifecycle transition, relationship create, ingestion. | Need createDocument/createFolder/updateProperties/deleteObject/moveObject mapping and CMIS change tokens. | High |
| Content streams | Source, normalized, derived representations store content hashes and storage refs. | Need getContentStream/setContentStream/deleteContentStream/appendContentStream semantics and streaming endpoints. | Medium-High |
| Versioning | Asset versions and transformation/workflow lineage exist. | Need CMIS checkout, PWC, checkin, cancelCheckout, version series semantics, latest/major flags. | High |
| Discovery/query | Governed retrieval, lexical search, filters, relationships. | Need CMIS SQL-like query grammar or supported subset, query result shape, joins/capability flags. | High |
| Relationships | Core relationships exist. | Need CMIS relationship object mapping and relationship type capability exposure. | Medium |
| ACL service | Policy gateway and authorization decisions exist. | Need CMIS ACL model, principals, direct/inherited ACEs, applyACL, exact capability flags. | High |
| Policy service | Policy decisions and governance reports exist. | Need CMIS policy objects/applyPolicy/removePolicy/getAppliedPolicies mapping or explicit unsupported profile. | Medium |
| Change log | Audit events and correlation IDs exist. | Need CMIS change events, change tokens, object change entries, paging. | Medium |
| Multi-filing/unfiling | Not modeled directly. | Need folder membership model or profile-level unsupported flags. | High if full support, Low if unsupported |
| Renditions | Representations exist, no rendition taxonomy. | Need rendition metadata and stream mapping for thumbnails/previews. | Medium |
| Retention and hold | Metadata/governance hooks exist, no first-class legal hold model. | Need retention/hold capabilities, apply/remove hold, retention date semantics. | High for full support |
| Bulk update | Metadata update pathways exist. | Need bulkUpdateProperties semantics, partial failure reporting, change tokens. | Medium |
| Browser JSON binding | FastAPI JSON service already exists. | Need CMIS Browser Binding routes, selectors/actions, multipart/content stream behavior. | High |
| AtomPub binding | No AtomPub/XML binding. | Need XML/Atom feed generation and protocol semantics. | Very High |
| Web Services binding | No SOAP stack. | Need WSDL/SOAP implementation. | Very High |
Recommended Compliance Profile Strategy
Start with a constrained CMIS 1.1 Browser Binding profile:
- Repository, type, object read, content stream read, query subset, relationships, change log, and navigation over a synthetic root/folder projection.
- Explicitly unsupported or read-only: AtomPub, Web Services, full ACL mutation, retention/hold, multifiling/unfiling, and full CMIS SQL joins.
Then expand by profile:
readonly-browser: safe read-only repository and content access.governed-authoring: selected object creation/update/content stream changes through engine policy and audit.admin-export: broad export and governance inspection, restricted to service accounts.compat-tck: profile tuned to pass a selected OpenCMIS TCK capability subset.
Risk Summary
The engine already has strong foundations for asset identity, metadata, representations, relationships, versions, audit, policy, retrieval, and service APIs. The hard parts are not storage; they are CMIS protocol semantics: folder/path behavior, versioning/PWC semantics, CMIS query grammar, ACL shape, content stream actions, and binding-specific compatibility.
Best estimate:
- Internal mapper and examples: moderate.
- Browser Binding MVP profile: medium-high.
- TCK subset harness: medium.
- Broad CMIS 1.1 Browser compliance: high.
- AtomPub and Web Services compliance: very high and probably not justified until a real client demands those bindings.