Mint the 0x0B AuthStore class family (keystone §7, confirmed by OGIT shape)#110
Merged
Merged
Conversation
…irmed by the OGIT shape
Autoattended resolution of ISS-RBAC-AUTHORIZE-BY-CLASSID. The operator's
insight ("having our vision and already the canonical OGIT shape it's
easy") is correct: OGAR's keystone §7 and the canonical OGIT Auth shape
converge 1:1, so the tractable, spec-ratified part ships now while the
enforcement stays behind the keystone's own probe gate.
Mint (ogar-vocab + ogar-class-view), per CLASSID-RBAC-KEYSTONE-SPEC §7:
* CODEBOOK + class_ids consts + ALL: auth_store 0x0B01, auth_zitadel
0x0B02, auth_zanzibar 0x0B03, auth_ory_keto 0x0B04.
* ConceptDomain::Auth + canonical_concept_domain(0x0B) => Auth.
* all_promoted_classes() builders: auth_store() (base, carries the three
claim-name slots + maps_actor/maps_role family edges) + the three
provider profiles (is-a AuthStore, claim_grammar attr).
* ogar-class-view all_canonical_classes() registration + imports.
* Tests: auth_domain_concepts_resolve_and_route +
concepts_in_domain(Auth).count()==4; domain test asserts 0x0B->Auth,
0x0C->Unassigned.
These are RESERVATIONS ("reserving costs nothing"). The enforcement
authorize() is NOT in this commit — it stays gated on
PROBE-OGAR-RBAC-AUTHORIZE (keystone §10), security-review-class.
The OGIT convergence that justifies the mint (not an invention):
arago's January-2026 NTO/Auth/Configuration entity — keyed by
organizationId/accountId/applicationId/scopeId + configurationData,
"registered in hiro knowledge core" — IS the keystone's auth_store,
built upstream independently. Zitadel maps 1:1. The vision and the
upstream shape agree.
Docs:
* .claude/board/ISSUES.md (new) — ISS-RBAC-AUTHORIZE-BY-CLASSID RESOLVED:
the decision (keystone canonical / woa MembraneGate-mirror interim /
probe orders them), what shipped (the mint), what stays gated (the
enforcement, the woa mirror, the project_role.permissions Core change).
* .claude/board/EPIPHANIES.md — the 1:1 convergence table (OGIT
Configuration ⊨ auth_store) + the autoattended-decision method note
(autonomy honors the project's ratified gates, doesn't bulldoze them).
* docs/CLASSID-RBAC-KEYSTONE-SPEC.md §7 — MINTED + CONFIRMED block.
Tests: 298/0 workspace; ogar-vocab 93 + ogar-class-view 13 (= 106 in the
touched crates) + 2 doctests. fmt-clean; no new clippy warnings (the
ports.rs delta is fmt-normalization of pre-existing drift).
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
This was referenced Jun 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this is
Autoattended resolution of
ISS-RBAC-AUTHORIZE-BY-CLASSID. The operator'sinsight — "having our vision and already the canonical OGIT shape it's
easy" — is correct: OGAR's keystone §7 and the canonical OGIT Auth shape
converge 1:1, so the tractable, spec-ratified part ships now while the
enforcement stays behind the keystone's own probe gate.
The convergence that makes it a reservation, not an invention
Account(thesub)0x0104ApplicationRole0x0117RoleAssignment0x0108/0x0118Organization/OrgDomainConfiguration(keyed org/app/account/scope IDs +configurationData)auth_store 0x0B01arago's January-2026
NTO/Auth/Configurationentity is the keystone'sauth_store, built upstream independently. The vision and the upstreamshape agree.
What ships (the mint — reservations only)
Per
docs/CLASSID-RBAC-KEYSTONE-SPEC.md§7, inogar-vocab+ogar-class-view:class_idsconsts +ALL:auth_store 0x0B01,auth_zitadel 0x0B02,auth_zanzibar 0x0B03,auth_ory_keto 0x0B04.ConceptDomain::Auth+canonical_concept_domain(0x0B) => Auth.all_promoted_classes()builders:auth_store()(base — carriesthe three claim-name slots +
maps_actor/maps_rolefamily edges) +the three provider profiles (
is-aAuthStore,claim_grammarattr).ogar-class-view::all_canonical_classes()registration + imports.auth_domain_concepts_resolve_and_route+concepts_in_domain(Auth).count()==4; domain test asserts0x0B → Auth,0x0C → Unassigned."Reserving costs nothing" — these are registry reservations, not
enforcement.
What stays gated (the keystone's own gates, not caution)
authorize()enforcement (ClassRbac trait impl + thebit-for-bit decision) — gated on
PROBE-OGAR-RBAC-AUTHORIZE(§10).Security-review-class.
WoaMembraneGatemirror — different repo; mirrors smb floor: fix non-exhaustive errors in surrealql adapter + add compile CI #29when woa work is picked up. Unblocked, not gated.
project_role.permissions: text→ typed-grant Core change (§6) —lands per keystone §11 build order, after the probe.
The decision (recorded in
.claude/board/ISSUES.md)authorize,AuthStore profiles). Hardened; confirmed by the OGIT shape.
MembraneGate— the shipped pattern, not a
*Bridgestopgap.Method note: autoattended autonomy means honoring the project's ratified
gates (the probe, the 5+3-hardened keystone), not bulldozing them. The
mint is spec-ratified + OGIT-confirmed, so it ships; the enforcement has
an explicit probe gate, so it waits.
Docs
.claude/board/ISSUES.md(new) —ISS-RBAC-AUTHORIZE-BY-CLASSIDRESOLVED..claude/board/EPIPHANIES.md— the 1:1 convergence table + theautoattended-decision method note.
docs/CLASSID-RBAC-KEYSTONE-SPEC.md§7 — MINTED + CONFIRMED block.Tests
298/0 workspace; 106 in the touched crates (
ogar-vocab93 +ogar-class-view13) + 2 doctests. fmt-clean; no new clippy warnings (the
ports.rsdelta isfmt-normalization of pre-existing drift).
Generated by Claude Code