acl: Phase 4 federation (trust-gated delegation, revocation) + 31 tests
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 10m25s
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 10m25s
federation.sx adds peer/trust/delegate/level_covers facts and one engine rule: delegated grants apply only when local trust covers the action, re-checked every query (non-transitive, fail-safe). Local/inherited deny overrides federated grants; delegation composes with group and resource inheritance. acl-revoke!/acl-fed-assert! propagate retraction/assertion; mock fed-sx transport for tests. Federated proofs reconstruct via the existing explainer. Roadmap complete: 120/120. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -15,7 +15,7 @@ and federation extension. Reuses `lib/datalog/` evaluator and term model where p
|
||||
|
||||
## Status (rolling)
|
||||
|
||||
`bash lib/acl/conformance.sh` → **89/89** (Phases 1-3 complete)
|
||||
`bash lib/acl/conformance.sh` → **120/120** (all four phases complete)
|
||||
|
||||
## Ground rules
|
||||
|
||||
@@ -122,11 +122,33 @@ pure.
|
||||
|
||||
## Phase 4 — Federation
|
||||
|
||||
- [ ] peer trust facts — `peer(addr, kind)`, `trust(peer, level)`
|
||||
- [ ] delegated grants — `delegate(peer, actor, action, resource)`
|
||||
- [ ] cross-instance permit chain — query asks local + queries trusted peers via fed-sx
|
||||
- [ ] revocation propagation — fact retraction across federation
|
||||
- [ ] `lib/acl/tests/fed.sx` — federated grant chains (mock fed-sx transport in tests)
|
||||
- [x] peer trust facts — `peer(addr, kind)`, `trust(peer, level)`
|
||||
- [x] delegated grants — `delegate(peer, actor, action, resource)`
|
||||
- [x] cross-instance permit chain — query asks local + queries trusted peers via fed-sx
|
||||
- [x] revocation propagation — fact retraction across federation
|
||||
- [x] `lib/acl/tests/fed.sx` — federated grant chains (mock fed-sx transport in tests)
|
||||
|
||||
### federation policy (the choice)
|
||||
|
||||
One engine rule carries federation:
|
||||
`eff_grant(S,A,R) :- delegate(Peer,S,A,R), trust(Peer,L), level_covers(L,A)`.
|
||||
|
||||
- **Non-transitive trust.** A peer's `delegate` only grants if a *local*
|
||||
`trust(Peer,L)` exists and that level `level_covers` the action. There is no
|
||||
peer-to-peer trust propagation — trusting α never extends to peers α trusts.
|
||||
- **Trust re-checked every query.** `trust`/`level_covers` are body literals
|
||||
evaluated at decision time, never baked in at ingestion. Revoking trust or
|
||||
narrowing a level takes effect on the next `acl-permit?`.
|
||||
- **Deny still wins.** Federated grants are `eff_grant`, so local (and inherited)
|
||||
deny overrides them exactly as for local grants.
|
||||
- **Composes with inheritance.** A delegate to a group flows to members; a
|
||||
delegate on a parent resource flows to children (federated `eff_grant` feeds
|
||||
the same recursion).
|
||||
- **Revocation = retraction.** `acl-revoke!` wraps `dl-retract!`; the next query
|
||||
re-saturates. `acl-fed-assert!` wraps `dl-assert!` for newly-replicated facts.
|
||||
- **Transport is fed-sx's job.** `lib/acl/federation.sx` mocks the pull as a
|
||||
dict {peer-addr → delegate-facts}; `acl-fed-build-db` merges local policy +
|
||||
pulled delegates.
|
||||
|
||||
## Progress log
|
||||
|
||||
@@ -177,6 +199,25 @@ pure.
|
||||
name-based `acl-et-eq?` (compare symbols via `symbol->string`), matching the
|
||||
datalog suite's `dl-api-deep=?` convention. Worth flagging to the kernel
|
||||
owners but out of acl scope.
|
||||
- **Phase 4 complete (120/120, +31 fed).** Added `federation.sx` (mock
|
||||
transport + `acl-fed-build-db`/`acl-revoke!`/`acl-fed-assert!`), one engine
|
||||
rule (the trust-gated delegate rule), 4 fact constructors, 4 schema arities.
|
||||
Federated proofs reconstruct for free — `explain.sx` iterates `acl-rules`, so
|
||||
the delegate rule's EDB body (`delegate`/`trust`/`level_covers`) shows up as
|
||||
proof leaves with no explain changes. **Roadmap done: all four phases green.**
|
||||
- **Shared-plumbing final note (for `lib/guest/rules/`):** the durable
|
||||
reusable seam across acl-sx and the coming mod-sx is exactly four
|
||||
pass-throughs to the rule engine — `build-db(facts)`, `decide(ground-query)
|
||||
-> bool`, `explain(goal) -> proof-tree`, and the revoke/assert mutators.
|
||||
The *rulesets* and *vocabulary* are language-specific (ACL: grant/deny/
|
||||
member_of/...; mod-sx: Prolog moderation predicates). When mod-sx lands,
|
||||
extract those four functions (engine.sx + the generic half of explain.sx's
|
||||
goal-directed reconstructor) into `lib/guest/rules/`, leaving each consumer
|
||||
its own rules + fact constructors. Proof reconstruction is the non-obvious
|
||||
reusable piece: it only needs the ruleset as data + a saturated db, both of
|
||||
which any datalog-backed guest has.
|
||||
- **dict-mode conformance is slow, not hung:** all suites load + run in one
|
||||
process (~30-40s for 120 tests, no per-suite timeout). Do not kill early.
|
||||
- **Tooling note:** sx-tree path-based edit tools (`sx_replace_node`,
|
||||
`sx_read_subtree` with a path) ignored the path argument in this worktree
|
||||
(always resolved to index 0 / `[0,..]`), in BOTH `(a b c)` and `(a,b,c)`
|
||||
|
||||
Reference in New Issue
Block a user