Skip to content

Mint the 0x0B AuthStore class family (keystone §7, confirmed by OGIT shape)#110

Merged
AdaWorldAPI merged 1 commit into
mainfrom
claude/medcare-bridge-lance-graph-wmx76z
Jun 23, 2026
Merged

Mint the 0x0B AuthStore class family (keystone §7, confirmed by OGIT shape)#110
AdaWorldAPI merged 1 commit into
mainfrom
claude/medcare-bridge-lance-graph-wmx76z

Conversation

@AdaWorldAPI

Copy link
Copy Markdown
Owner

What this is

Autoattended resolution of ISS-RBAC-AUTHORIZE-BY-CLASSID. The operator's
insight — "having our vision and already the canonical OGIT shape it's
easy"
— is correct: OGAR's keystone §7 and the canonical OGIT Auth shape
converge 1:1, so the tractable, spec-ratified part ships now while the
enforcement stays behind the keystone's own probe gate.

The convergence that makes it a reservation, not an invention

OGIT Auth (canonical shape, upstream) keystone §7 Zitadel
Account (the sub) actor 0x0104 User
Application class scope Project/App
Role role 0x0117 Project-Role
RoleAssignment membership tuple 0x0108/0x0118 Grant
Organization/OrgDomain row-scope (axis 3) Org
Configuration (keyed org/app/account/scope IDs + configurationData) auth_store 0x0B01 the IdP config record

arago's January-2026 NTO/Auth/Configuration entity is the keystone's
auth_store, built upstream independently. The vision and the upstream
shape agree.

What ships (the mint — reservations only)

Per docs/CLASSID-RBAC-KEYSTONE-SPEC.md §7, in ogar-vocab + ogar-class-view:

  • CODEBOOK + class_ids consts + ALL: auth_store 0x0B01,
    auth_zitadel 0x0B02, auth_zanzibar 0x0B03, auth_ory_keto 0x0B04.
  • ConceptDomain::Auth + canonical_concept_domain(0x0B) => Auth.
  • all_promoted_classes() builders: auth_store() (base — carries
    the three claim-name slots + maps_actor/maps_role family edges) +
    the three provider profiles (is-a AuthStore, claim_grammar attr).
  • ogar-class-view::all_canonical_classes() registration + imports.
  • Tests: auth_domain_concepts_resolve_and_route +
    concepts_in_domain(Auth).count()==4; domain test asserts
    0x0B → Auth, 0x0C → Unassigned.

"Reserving costs nothing" — these are registry reservations, not
enforcement.

What stays gated (the keystone's own gates, not caution)

  • The authorize() enforcement (ClassRbac trait impl + the
    bit-for-bit decision) — gated on PROBE-OGAR-RBAC-AUTHORIZE (§10).
    Security-review-class.
  • The woa-rs WoaMembraneGate mirror — different repo; mirrors smb floor: fix non-exhaustive errors in surrealql adapter + add compile CI #29
    when woa work is picked up. Unblocked, not gated.
  • project_role.permissions: text → typed-grant Core change (§6) —
    lands per keystone §11 build order, after the probe.

The decision (recorded in .claude/board/ISSUES.md)

Method note: autoattended autonomy means honoring the project's ratified
gates
(the probe, the 5+3-hardened keystone), not bulldozing them. The
mint is spec-ratified + OGIT-confirmed, so it ships; the enforcement has
an explicit probe gate, so it waits.

Docs

  • .claude/board/ISSUES.md (new) — ISS-RBAC-AUTHORIZE-BY-CLASSID RESOLVED.
  • .claude/board/EPIPHANIES.md — the 1:1 convergence table + the
    autoattended-decision method note.
  • docs/CLASSID-RBAC-KEYSTONE-SPEC.md §7 — MINTED + CONFIRMED block.

Tests

298/0 workspace; 106 in the touched crates (ogar-vocab 93 + ogar-class-view
13) + 2 doctests. fmt-clean; no new clippy warnings (the ports.rs delta is
fmt-normalization of pre-existing drift).


Generated by Claude Code

…irmed by the OGIT shape

Autoattended resolution of ISS-RBAC-AUTHORIZE-BY-CLASSID. The operator's
insight ("having our vision and already the canonical OGIT shape it's
easy") is correct: OGAR's keystone §7 and the canonical OGIT Auth shape
converge 1:1, so the tractable, spec-ratified part ships now while the
enforcement stays behind the keystone's own probe gate.

Mint (ogar-vocab + ogar-class-view), per CLASSID-RBAC-KEYSTONE-SPEC §7:

* CODEBOOK + class_ids consts + ALL: auth_store 0x0B01, auth_zitadel
  0x0B02, auth_zanzibar 0x0B03, auth_ory_keto 0x0B04.
* ConceptDomain::Auth + canonical_concept_domain(0x0B) => Auth.
* all_promoted_classes() builders: auth_store() (base, carries the three
  claim-name slots + maps_actor/maps_role family edges) + the three
  provider profiles (is-a AuthStore, claim_grammar attr).
* ogar-class-view all_canonical_classes() registration + imports.
* Tests: auth_domain_concepts_resolve_and_route +
  concepts_in_domain(Auth).count()==4; domain test asserts 0x0B->Auth,
  0x0C->Unassigned.

These are RESERVATIONS ("reserving costs nothing"). The enforcement
authorize() is NOT in this commit — it stays gated on
PROBE-OGAR-RBAC-AUTHORIZE (keystone §10), security-review-class.

The OGIT convergence that justifies the mint (not an invention):
arago's January-2026 NTO/Auth/Configuration entity — keyed by
organizationId/accountId/applicationId/scopeId + configurationData,
"registered in hiro knowledge core" — IS the keystone's auth_store,
built upstream independently. Zitadel maps 1:1. The vision and the
upstream shape agree.

Docs:

* .claude/board/ISSUES.md (new) — ISS-RBAC-AUTHORIZE-BY-CLASSID RESOLVED:
  the decision (keystone canonical / woa MembraneGate-mirror interim /
  probe orders them), what shipped (the mint), what stays gated (the
  enforcement, the woa mirror, the project_role.permissions Core change).
* .claude/board/EPIPHANIES.md — the 1:1 convergence table (OGIT
  Configuration ⊨ auth_store) + the autoattended-decision method note
  (autonomy honors the project's ratified gates, doesn't bulldoze them).
* docs/CLASSID-RBAC-KEYSTONE-SPEC.md §7 — MINTED + CONFIRMED block.

Tests: 298/0 workspace; ogar-vocab 93 + ogar-class-view 13 (= 106 in the
touched crates) + 2 doctests. fmt-clean; no new clippy warnings (the
ports.rs delta is fmt-normalization of pre-existing drift).
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants