generated from coulomb/repo-seed
2.4 KiB
2.4 KiB
id, type, title, domain, status, owner, topic_slug, planning_priority, planning_order, depends_on_workplans, created, updated, state_hub_workstream_id
| id | type | title | domain | status | owner | topic_slug | planning_priority | planning_order | depends_on_workplans | created | updated | state_hub_workstream_id | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| MKTT-WP-0009 | workplan | Access-Controlled Knowledge Gateway | markitect | todo | markitect-tool | markitect | P2 | 80 |
|
2026-05-03 | 2026-05-03 | f36acbc9-881d-46f2-9181-67de228df0c2 |
MKTT-WP-0009: Access-Controlled Knowledge Gateway
Purpose
Add a policy boundary for cached retrieval and context packages so Markitect can support security-sensitive knowledge systems and agent workflows.
P9.1 - Define access-control ladder
id: MKTT-WP-0009-T001
status: todo
priority: high
state_hub_task_id: "acf240b4-7210-4ee5-90b6-2f2fe1438439"
Specify supported modes:
- labels and trust zones
- path/file ACLs
- relationship-based access control
- attribute/rule-based policies
- external policy engines
P9.2 - Implement local label policy
id: MKTT-WP-0009-T002
status: todo
priority: high
state_hub_task_id: "9eb589d2-82f2-4282-9af0-3958826d397d"
Start with local policy labels and diagnostics for denied or redacted results.
P9.3 - Add policy-aware query filtering
id: MKTT-WP-0009-T003
status: todo
priority: high
state_hub_task_id: "d78ab623-c472-4b24-ad84-08464b574886"
Ensure results are filtered before leaving the backend boundary. Result metadata must report whether policy filtering occurred.
P9.4 - Add relationship policy adapter design
id: MKTT-WP-0009-T004
status: todo
priority: medium
state_hub_task_id: "bd4c2b7a-6eac-4845-b5c8-9f9c64946f0c"
Design an adapter boundary for Zanzibar/OpenFGA/SpiceDB-style relationship checks without binding the core package to any one service.
P9.5 - Add rule policy adapter design
id: MKTT-WP-0009-T005
status: todo
priority: medium
state_hub_task_id: "752f1962-e83c-44cc-a1c1-0f89a4ea2a90"
Design an adapter boundary for OPA/Rego and Cedar-style rule policies.
P9.6 - Add decision logs and explainability
id: MKTT-WP-0009-T006
status: todo
priority: medium
state_hub_task_id: "990f01fa-5008-4871-a887-1c6ab4375605"
Record policy decisions with subject, action, object, context, decision, reason, and provenance.
Exit Criteria
- Local caches can operate in an explicit policy mode.
- Query and context package results are policy-aware.
- More rigid authorization engines can attach later without replacing the query/cache framework.