acl: Phase 3 explanation + audit, 35 tests

explain.sx reconstructs a canonical proof tree (first-rule, first-solution) by goal-directed search over the saturated db, since Datalog keeps no provenance; depth-capped for cyclic safety. acl-explain returns {:allowed? :proof :reason} with the blocking eff_deny proof on denial. audit.sx is an append-only decision log (monotonic seq, disk serializer). api gains acl/explain, acl/audit, acl/audit-tail. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-06 16:47:07 +00:00
parent 9261d69cc5
commit 15c97119e4
8 changed files with 585 additions and 15 deletions
--- a/lib/acl/api.sx
+++ b/lib/acl/api.sx
@@ -25,7 +25,21 @@
        (set! acl-current-db (acl-build-db (list))))
      acl-current-db)))

-;; Public decision against the current db.
+;; Public decision against the current db (pure, no logging).
 (define
  acl/permit?
  (fn (subj act res) (acl-permit? (acl-ensure-db!) subj act res)))
+
+;; Decision-with-proof against the current db. See lib/acl/explain.sx.
+(define
+  acl/explain
+  (fn (subj act res) (acl-explain (acl-ensure-db!) subj act res)))
+
+;; Audited decision: logs the outcome to the append-only audit log and returns
+;; the boolean. See lib/acl/audit.sx.
+(define
+  acl/audit
+  (fn (subj act res) (acl-audit-decide! (acl-ensure-db!) subj act res)))
+
+;; Recent audited decisions (chronological).
+(define acl/audit-tail (fn (n) (acl-audit-tail n)))