generated from coulomb/repo-seed
Workplan dependencies and prio for text research lab workplans
This commit is contained in:
105
workplans/MKTT-WP-0009-access-controlled-knowledge-gateway.md
Normal file
105
workplans/MKTT-WP-0009-access-controlled-knowledge-gateway.md
Normal file
@@ -0,0 +1,105 @@
|
||||
---
|
||||
id: MKTT-WP-0009
|
||||
type: workplan
|
||||
title: "Access-Controlled Knowledge Gateway"
|
||||
domain: markitect
|
||||
status: todo
|
||||
owner: markitect-tool
|
||||
topic_slug: markitect
|
||||
planning_priority: P2
|
||||
planning_order: 80
|
||||
depends_on_workplans:
|
||||
- MKTT-WP-0006
|
||||
created: "2026-05-03"
|
||||
updated: "2026-05-03"
|
||||
state_hub_workstream_id: "f36acbc9-881d-46f2-9181-67de228df0c2"
|
||||
---
|
||||
|
||||
# MKTT-WP-0009: Access-Controlled Knowledge Gateway
|
||||
|
||||
## Purpose
|
||||
|
||||
Add a policy boundary for cached retrieval and context packages so Markitect can
|
||||
support security-sensitive knowledge systems and agent workflows.
|
||||
|
||||
## P9.1 - Define access-control ladder
|
||||
|
||||
```task
|
||||
id: MKTT-WP-0009-T001
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "acf240b4-7210-4ee5-90b6-2f2fe1438439"
|
||||
```
|
||||
|
||||
Specify supported modes:
|
||||
|
||||
- labels and trust zones
|
||||
- path/file ACLs
|
||||
- relationship-based access control
|
||||
- attribute/rule-based policies
|
||||
- external policy engines
|
||||
|
||||
## P9.2 - Implement local label policy
|
||||
|
||||
```task
|
||||
id: MKTT-WP-0009-T002
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "9eb589d2-82f2-4282-9af0-3958826d397d"
|
||||
```
|
||||
|
||||
Start with local policy labels and diagnostics for denied or redacted results.
|
||||
|
||||
## P9.3 - Add policy-aware query filtering
|
||||
|
||||
```task
|
||||
id: MKTT-WP-0009-T003
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "d78ab623-c472-4b24-ad84-08464b574886"
|
||||
```
|
||||
|
||||
Ensure results are filtered before leaving the backend boundary. Result
|
||||
metadata must report whether policy filtering occurred.
|
||||
|
||||
## P9.4 - Add relationship policy adapter design
|
||||
|
||||
```task
|
||||
id: MKTT-WP-0009-T004
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "bd4c2b7a-6eac-4845-b5c8-9f9c64946f0c"
|
||||
```
|
||||
|
||||
Design an adapter boundary for Zanzibar/OpenFGA/SpiceDB-style relationship
|
||||
checks without binding the core package to any one service.
|
||||
|
||||
## P9.5 - Add rule policy adapter design
|
||||
|
||||
```task
|
||||
id: MKTT-WP-0009-T005
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "752f1962-e83c-44cc-a1c1-0f89a4ea2a90"
|
||||
```
|
||||
|
||||
Design an adapter boundary for OPA/Rego and Cedar-style rule policies.
|
||||
|
||||
## P9.6 - Add decision logs and explainability
|
||||
|
||||
```task
|
||||
id: MKTT-WP-0009-T006
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "990f01fa-5008-4871-a887-1c6ab4375605"
|
||||
```
|
||||
|
||||
Record policy decisions with subject, action, object, context, decision,
|
||||
reason, and provenance.
|
||||
|
||||
## Exit Criteria
|
||||
|
||||
- Local caches can operate in an explicit policy mode.
|
||||
- Query and context package results are policy-aware.
|
||||
- More rigid authorization engines can attach later without replacing the
|
||||
query/cache framework.
|
||||
Reference in New Issue
Block a user