giles
fe47334e52
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 56s
Datalog ACL layer (schema/facts/engine/api) over lib/datalog/. Direct grant permits unless explicit deny names same (S,A,R) — deny-overrides via stratified negation. Conformance wrapper + scoreboard. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
32 lines
899 B
Plaintext
32 lines
899 B
Plaintext
;; lib/acl/api.sx — public ACL surface over an implicit current db.
|
|
;;
|
|
;; Callers load a fact set once, then issue decisions without threading the db
|
|
;; through every call. The current db is module state; (acl/load! facts) rebuilds
|
|
;; it. This is the boundary the rest of rose-ash imports.
|
|
|
|
(define acl-current-db nil)
|
|
|
|
;; Replace the current fact base. Rebuilds the Datalog db under the active
|
|
;; ruleset (see lib/acl/engine.sx).
|
|
(define
|
|
acl/load!
|
|
(fn
|
|
(facts)
|
|
(do (set! acl-current-db (acl-build-db facts)) acl-current-db)))
|
|
|
|
;; Ensure a db exists, building an empty one on first use.
|
|
(define
|
|
acl-ensure-db!
|
|
(fn
|
|
()
|
|
(do
|
|
(when
|
|
(= acl-current-db nil)
|
|
(set! acl-current-db (acl-build-db (list))))
|
|
acl-current-db)))
|
|
|
|
;; Public decision against the current db.
|
|
(define
|
|
acl/permit?
|
|
(fn (subj act res) (acl-permit? (acl-ensure-db!) subj act res)))
|