coulomb/kontextual-engine
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
88f9df62888e0688aafb4e0983a6f87bacf0e97b
kontextual-engine/workplans/KONT-WP-0012-cmis-profiled-access-points.md

5.1 KiB
Raw Blame History

id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, state_hub_workstream_id
id type title domain repo status owner topic_slug planning_priority planning_order created updated state_hub_workstream_id
KONT-WP-0012 workplan CMIS Profiled Access Points Implementation markitect kontextual-engine active codex markitect high 12 2026-05-06 2026-05-06 d538d68f-17a8-401f-9cdc-d526dd734ddc

KONT-WP-0012: CMIS Profiled Access Points Implementation

Purpose

Implement a CMIS API extension for kontextual-engine that can expose multiple CMIS access points. Each access point has a profile that regulates which CMIS capabilities are available, which data is visible, which mutations are allowed, and which data must never be exposed.

Requirement

It must be possible to allow and expose multiple CMIS access points with different profiles that regulate:

  • which subset of CMIS capabilities are provided on the access point,
  • which engine data is accessible using the access point,
  • which data must not be exposed through the access point.

Dependency

Implementation must begin after the assessment, examples, and test foundation from KONT-WP-0011 are sufficient to define the first profile and regression suite.

Implementation Notes

  • docs/cmis-profiled-access-points-implementation.md
  • src/kontextual_engine/core/cmis.py
  • tests/cmis/test_cmis_access_profiles.py
  • tests/cmis/test_cmis_domain_mapper.py
  • tests/cmis/test_cmis_runtime_browser_binding.py
  • tests/cmis/test_cmis_browser_binding_api.py

Architecture Constraint

CMIS routes are adapters over engine services and policy gates. They must not become a second domain model. Every CMIS access point resolves an OperationContext, applies profile rules, authorizes exposure/mutation, and emits audit events.

D12.1 - Define CMIS profile and access-point model

id: KONT-WP-0012-T001
status: done
priority: high
state_hub_task_id: "031c3ce5-bb56-41fb-a014-6a496c280d20"

Acceptance:

  • Access-point config includes ID, repository ID, profile name, binding, capability flags, visibility scope, deny rules, mutation policy, and actor context requirements.
  • Profiles support read-only, governed authoring, admin/export, and TCK compatibility variants.
  • Profile matching is deterministic and auditable.

D12.2 - Implement CMIS domain mapper

id: KONT-WP-0012-T002
status: done
priority: high
state_hub_task_id: "a4c44471-22a9-40d9-9821-4b78e5ba9360"

Acceptance:

  • Engine assets map to CMIS documents/items.
  • Synthetic folders, paths, object IDs, properties, content streams, relationships, versions, allowable actions, and change tokens are mapped.
  • Unsupported CMIS features are represented by correct capability flags and structured errors.

D12.3 - Implement Browser Binding MVP access point

id: KONT-WP-0012-T003
status: done
priority: high
state_hub_task_id: "b9f5d790-f291-4613-89da-5d47e7887a9e"

Acceptance:

  • Browser Binding routes expose repository info, types, navigation, object read, content stream read, query subset, relationships, and change log.
  • Route behavior is profile-scoped.
  • Responses match CMIS Browser Binding expectations for the supported subset.

D12.4 - Implement governed authoring operations

id: KONT-WP-0012-T004
status: done
priority: high
state_hub_task_id: "49716ca7-6a10-43ac-8ac5-ffa1c15b048e"

Acceptance:

  • Supported create/update/delete/content stream operations delegate through engine services.
  • Mutations enforce policy, profile rules, version expectations, and audit.
  • Read-only profiles reject mutations with CMIS-compatible diagnostics.

D12.5 - Implement profile-scoped ACL policy and redaction

id: KONT-WP-0012-T005
status: done
priority: high
state_hub_task_id: "64289d84-d7a2-4c03-8fa6-5f439bc233fe"

Acceptance:

  • Access points can hide assets by classification, owner, topic, lifecycle, source system, metadata, actor, or policy decision.
  • Denied data is omitted rather than partially leaked.
  • ACL/allowable action projections reflect engine policy and profile rules.

D12.6 - Integrate CMIS compliance fixtures and optional OpenCMIS TCK

id: KONT-WP-0012-T006
status: todo
priority: medium
state_hub_task_id: "2f1e9075-395e-4ed0-9abd-ed7c4ecd774d"

Acceptance:

  • Internal CMIS tests run for every profile.
  • Optional OpenCMIS TCK can target a running CMIS access point.
  • TCK subset results are captured and mapped back to capability gaps.

D12.7 - Document deployment and compatibility posture

id: KONT-WP-0012-T007
status: todo
priority: medium
state_hub_task_id: "a1d28453-2ab7-4d18-8757-6f9ece1674b3"

Acceptance:

  • CMIS endpoint setup is documented.
  • Supported/unsupported CMIS capabilities are documented per profile.
  • Browser Binding MVP, AtomPub/Web Services deferral, OpenCMIS TCK posture, and known client compatibility notes are explicit.

Definition Of Done

  • Multiple CMIS access points can be configured and exposed.
  • Each access point enforces profile-specific capability and data-visibility rules.
  • Supported CMIS Browser Binding subset passes internal compliance tests.
  • Optional OpenCMIS TCK harness can be run against a compatibility profile.
  • python3 -m pytest passes.
Reference in New Issue View Git Blame Copy Permalink