mirror of
https://github.com/trustgraph-ai/trustgraph.git
synced 2026-04-28 18:06:21 +02:00
5e28d3cce0
The gateway no longer holds any policy state — capability sets, role
definitions, workspace scope rules. Per the IAM contract it asks the
regime "may this identity perform this capability on this resource?"
per request. That moves the OSS role-based regime entirely into
iam-svc, which can be replaced (SSO, ABAC, ReBAC) without changing
the gateway, the wire protocol, or backend services.
Contract:
- authenticate(credential) -> Identity (handle, workspace,
principal_id, source). No roles, claims, or policy state surface
to the gateway.
- authorise(identity, capability, resource, parameters) -> (allow,
ttl). Cached per-decision (regime TTL clamped above; fail-closed
on regime errors).
- authorise_many available as a fan-out variant.
Operation registry drives every authorisation decision:
- /api/v1/iam -> IamEndpoint, looks up bare op name (create-user,
list-workspaces, ...).
- /api/v1/{kind} -> RegistryRoutedVariableEndpoint, <kind>:<op>
(config:get, flow:list-blueprints, librarian:add-document, ...).
- /api/v1/flow/{flow}/service/{kind} -> flow-service:<kind>.
- /api/v1/flow/{flow}/{import,export}/{kind} ->
flow-{import,export}:<kind>.
- WS Mux per-frame -> flow-service:<kind>; closes a gap where
authenticated users could hit any service kind.
85 operations registered across the surface.
JWT carries identity only — sub + workspace. The roles claim is gone;
the gateway never reads policy state from a credential.
The three coarse *_KIND_CAPABILITY maps are removed. The registry is
the only source of truth for the capability + resource shape of an
operation. Tests migrated to the new Identity shape and to
authorise()-mocked auth doubles.
Specs updated: docs/tech-specs/iam-contract.md (Identity surface,
caching, registry-naming conventions), iam.md (JWT shape, gateway
flow, role section reframed as OSS-regime detail), iam-protocol.md
(positioned as one implementation of the contract).
|
||
|---|---|---|
| .. | ||
| tech-specs | ||
| api-gateway-changes-v1.8-to-v2.1.ar.md | ||
| api-gateway-changes-v1.8-to-v2.1.es.md | ||
| api-gateway-changes-v1.8-to-v2.1.he.md | ||
| api-gateway-changes-v1.8-to-v2.1.hi.md | ||
| api-gateway-changes-v1.8-to-v2.1.pt.md | ||
| api-gateway-changes-v1.8-to-v2.1.ru.md | ||
| api-gateway-changes-v1.8-to-v2.1.sw.md | ||
| api-gateway-changes-v1.8-to-v2.1.tr.md | ||
| api-gateway-changes-v1.8-to-v2.1.zh-cn.md | ||
| api.html | ||
| cli-changes-v1.8-to-v2.1.ar.md | ||
| cli-changes-v1.8-to-v2.1.es.md | ||
| cli-changes-v1.8-to-v2.1.he.md | ||
| cli-changes-v1.8-to-v2.1.hi.md | ||
| cli-changes-v1.8-to-v2.1.pt.md | ||
| cli-changes-v1.8-to-v2.1.ru.md | ||
| cli-changes-v1.8-to-v2.1.sw.md | ||
| cli-changes-v1.8-to-v2.1.tr.md | ||
| cli-changes-v1.8-to-v2.1.zh-cn.md | ||
| contributor-licence-agreement.ar.md | ||
| contributor-licence-agreement.es.md | ||
| contributor-licence-agreement.he.md | ||
| contributor-licence-agreement.hi.md | ||
| contributor-licence-agreement.md | ||
| contributor-licence-agreement.pt.md | ||
| contributor-licence-agreement.ru.md | ||
| contributor-licence-agreement.sw.md | ||
| contributor-licence-agreement.tr.md | ||
| contributor-licence-agreement.zh-cn.md | ||
| generate-api-docs.py | ||
| lang-index-ar.md | ||
| lang-index-es.md | ||
| lang-index-he.md | ||
| lang-index-hi.md | ||
| lang-index-pt.md | ||
| lang-index-ru.md | ||
| lang-index-sw.md | ||
| lang-index-tr.md | ||
| lang-index-zh-cn.md | ||
| python-api.ar.md | ||
| python-api.es.md | ||
| python-api.he.md | ||
| python-api.hi.md | ||
| python-api.md | ||
| python-api.pt.md | ||
| python-api.ru.md | ||
| python-api.sw.md | ||
| python-api.tr.md | ||
| python-api.zh-cn.md | ||
| README.api-docs.ar.md | ||
| README.api-docs.es.md | ||
| README.api-docs.he.md | ||
| README.api-docs.hi.md | ||
| README.api-docs.md | ||
| README.api-docs.pt.md | ||
| README.api-docs.ru.md | ||
| README.api-docs.sw.md | ||
| README.api-docs.tr.md | ||
| README.api-docs.zh-cn.md | ||
| README.ar.md | ||
| README.cats | ||
| README.challenger | ||
| README.es.md | ||
| README.he.md | ||
| README.hi.md | ||
| README.md | ||
| README.pt.md | ||
| README.ru.md | ||
| README.sw.md | ||
| README.tr.md | ||
| README.zh-cn.md | ||
| websocket.html | ||
| layout | title | nav_order |
|---|---|---|
| default | Home | 1 |
TrustGraph Documentation
Welcome to TrustGraph! For comprehensive documentation, please visit:
📖 https://docs.trustgraph.ai
The main documentation site includes:
- Overview - Introduction to TrustGraph concepts and architecture
- Guides - Step-by-step tutorials and how-to guides
- Deployment - Deployment options and configuration
- Reference - API specifications and CLI documentation
Getting Started
New to TrustGraph? Start with the Overview to understand the system.
Ready to deploy? Check out the Deployment Guide.
Integrating with code? See the API Reference for REST, WebSocket, and SDK documentation.