;; lib/acl/facts.sx — EDB fact constructors.
;;
;; Each constructor returns a Datalog fact tuple (a list whose head is the
;; predicate symbol). These are the only shapes lib/acl/engine.sx feeds to
;; lib/datalog/.
;;   Phase 1: actor/resource/grant/deny.
;;   Phase 2: member_of (subject -> group/role), child_of (resource -> parent),
;;            role_grant (role -> action,resource capability).
;;   Phase 4: peer/trust/delegate/level_covers (federation).

(define acl-actor (fn (id kind) (list (quote actor) id kind)))

(define acl-resource-fact (fn (id kind) (list (quote resource) id kind)))

(define acl-grant (fn (subj act res) (list (quote grant) subj act res)))

(define acl-deny (fn (subj act res) (list (quote deny) subj act res)))

;; subject S is a member of group/role G (one hop; transitivity is derived).
(define acl-member-of (fn (subj grp) (list (quote member_of) subj grp)))

;; resource R is a child of parent P (one hop; transitivity is derived).
(define acl-child-of (fn (res parent) (list (quote child_of) res parent)))

;; role confers capability (act on res) to every member of the role.
(define
  acl-role-grant
  (fn (role act res) (list (quote role_grant) role act res)))

;; --- federation ---

;; a known peer instance at addr, of some kind (e.g. peer).
(define acl-peer (fn (addr kind) (list (quote peer) addr kind)))

;; local trust in a peer at a named level. Gates delegated grants at query time.
(define acl-trust (fn (peer level) (list (quote trust) peer level)))

;; a peer asserts that subject S may A on R. Only takes effect if local trust in
;; that peer covers action A (see level_covers).
(define
  acl-delegate
  (fn (peer subj act res) (list (quote delegate) peer subj act res)))

;; local policy: trust `level` authorises delegated grants for action `act`.
(define
  acl-level-covers
  (fn (level act) (list (quote level_covers) level act)))