Access controlled knowledge gateway functionality

This commit is contained in:
2026-05-04 15:00:16 +02:00
parent e87406ac9e
commit d923661852
20 changed files with 1486 additions and 14 deletions

View File

@@ -3,10 +3,10 @@ id: MKTT-WP-0009
type: workplan
title: "Access-Controlled Knowledge Gateway"
domain: markitect
status: todo
status: done
owner: markitect-tool
topic_slug: markitect
planning_priority: P2
planning_priority: complete
planning_order: 80
depends_on_workplans:
- MKTT-WP-0006
@@ -22,11 +22,30 @@ state_hub_workstream_id: "f36acbc9-881d-46f2-9181-67de228df0c2"
Add a policy boundary for cached retrieval and context packages so Markitect can
support security-sensitive knowledge systems and agent workflows.
## Implementation Summary
Implemented as an internal policy-gateway extension, centered on
`LocalLabelPolicyGateway`:
- local labels, trust zones, and path rules
- enforce, audit, and off modes
- drop or redact behavior for denied results
- stable `PolicyDecision` ids and explainable decision envelopes
- denied/redacted result diagnostics
- policy-aware `mkt cache query` and `mkt search`
- `mkt policy check`
- relationship and rule policy adapter protocols for future
Zanzibar/OpenFGA/SpiceDB, OPA/Rego, and Cedar integrations
Documentation: `docs/access-control-policy-gateway.md`.
Examples: `examples/policy/`.
## P9.1 - Define access-control ladder
```task
id: MKTT-WP-0009-T001
status: todo
status: done
priority: high
state_hub_task_id: "acf240b4-7210-4ee5-90b6-2f2fe1438439"
```
@@ -43,7 +62,7 @@ Specify supported modes:
```task
id: MKTT-WP-0009-T002
status: todo
status: done
priority: high
state_hub_task_id: "9eb589d2-82f2-4282-9af0-3958826d397d"
```
@@ -54,7 +73,7 @@ Start with local policy labels and diagnostics for denied or redacted results.
```task
id: MKTT-WP-0009-T003
status: todo
status: done
priority: high
state_hub_task_id: "d78ab623-c472-4b24-ad84-08464b574886"
```
@@ -66,7 +85,7 @@ metadata must report whether policy filtering occurred.
```task
id: MKTT-WP-0009-T004
status: todo
status: done
priority: medium
state_hub_task_id: "bd4c2b7a-6eac-4845-b5c8-9f9c64946f0c"
```
@@ -78,7 +97,7 @@ checks without binding the core package to any one service.
```task
id: MKTT-WP-0009-T005
status: todo
status: done
priority: medium
state_hub_task_id: "752f1962-e83c-44cc-a1c1-0f89a4ea2a90"
```
@@ -89,7 +108,7 @@ Design an adapter boundary for OPA/Rego and Cedar-style rule policies.
```task
id: MKTT-WP-0009-T006
status: todo
status: done
priority: medium
state_hub_task_id: "990f01fa-5008-4871-a887-1c6ab4375605"
```
@@ -103,3 +122,10 @@ reason, and provenance.
- Query and context package results are policy-aware.
- More rigid authorization engines can attach later without replacing the
query/cache framework.
## Notes
Context package filtering is represented through the same gateway and adapter
protocols, but persistent context package storage remains future WP-0008 scope.
Persistent decision-log storage is also intentionally deferred to backend work;
the local gateway explains decisions made by the current instance.