coop/rose-ash
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

identity: identity->acl delegation boundary — 401 gates before 403 (+8 tests)
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 57s
Details

Browse Source 
delegation.sx makes the loop's central rule concrete: check() introspects
the token first — inactive → {error, unauthenticated} (401), acl never
consulted — and only an authenticated subject's request is delegated to
acl, which returns permit/deny ({error, forbidden} = 403). 401 strictly
precedes 403. acl-on-sx (Datalog) is a different SX guest wired at the
integration layer, so the decider here is a labelled stub (permits when
Action in Scope); swap the pid and the boundary is unchanged. New
tests/delegation.sx. 185/185 — extensions backlog clear.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
giles
2026-06-07 03:05:12 +00:00
parent d2f5b49d3f
commit db885e15bc
6 changed files with 158 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
lib/identity/scoreboard.md
View File

@@ -1,6 +1,6 @@
# identity-on-sx Scoreboard
**Total: 177 / 177 tests passing**
**Total: 185 / 185 tests passing**
| | Suite | Pass | Total |
|---|---|---|---|
@@ -19,6 +19,7 @@
| ✅ | grants | 9 | 9 |
| ✅ | device | 10 | 10 |
| ✅ | facade | 9 | 9 |
| ✅ | delegation | 8 | 8 |
Generated by `lib/identity/conformance.sh`.