VARASYS/ZDDC - Forgejo: Beyond coding. We forge.

VARASYS/ZDDC

Fork 0

Commit graph

Author	SHA1	Message	Date
ZDDC	45005d164e	feat(zddc-server): reviewing/ virtual aggregator + mdedit at the URL Implements the reviewing/ aggregator described in the saved project memory (~/.claude/projects/-home-user-src-zddc/memory/ project_reviewing_folder_design.md). reviewing/ stays in VirtualOnlyCanonicalNames — never materialised on disk — and is served as a join over archive/<party>/received/, archive/<party>/ issued/, and staging/, recomputed on every read. Two depths, both trailing-slash: GET <project>/reviewing/?json=1 → array of virtual <tracking>/ entries, one per submittal in archive/<party>/received/ that doesn't yet have a matching archive/<party>/issued/ entry. Sorted by tracking. URLs stay under reviewing/ so the user can drill into the per-submittal view. ACL: per-party, filtered like fs.ListDirectory. GET <project>/reviewing/<tracking>/?json=1 → array of two virtual entries, received/ + staged/, with canonical URLs pointing back to archive/<party>/received/... and staging/... respectively. staged/ is omitted when no response draft exists yet. When the response moves staging/ → archive/<party>/issued/, the entry vanishes from depth-0 on the next listing. No mutation of the reviewing/ subtree itself; pure join, recomputed on read. Front-end at <project>/reviewing[/<tracking>/] is mdedit (per user request). DefaultAppAt + AppAvailableAt extended to recognise "reviewing" as a canonical mdedit-bearing folder. The polyfill in shared/zddc-source.js is updated to follow listing entries' explicit url field when present (absolute or root-relative) — that's how mdedit's tree follows the depth-1 received/ + staged/ links into the canonical archive/staging subtrees. Dispatcher routing in zddc-server/main.go: - GET <project>/reviewing/[<tracking>/] with Accept: json → ServeReviewing - GET <project>/reviewing/[<tracking>/] with Accept: html → mdedit (rooted at the virtual path; polyfill fetches the JSON listing on its own) - GET <project>/reviewing (no slash) → mdedit (via DefaultAppAt) - GET <project>/reviewing/<tracking> (no slash) → 301 to slash form Tests: - handler/reviewinghandler_test.go (6 cases): IsReviewingPath classification + ServeReviewing depth-0/depth-1 with and without staged drafts + 404 on unknown tracking + empty when archive/ is absent. - apps/availability_test.go updated: reviewing/ now expects mdedit rather than "" (no default). - cmd/zddc-server/main_test.go: TestDispatchEmptyCanonicalProjectFolders extended to assert reviewing → mdedit at the no-slash form; older "no-slash/reviewing → 301" test removed. Future work (not in this commit): write translation. Editing a file under reviewing/<tracking>/staged/<f>.md works today because the polyfill rewrites to /<project>/staging/<response>/<f>.md before fetching — the user's URL bar moves to the canonical path on click. A virtual-filesystem mode where the URL bar stays under reviewing/ throughout would require server-side write rewriting (translate PUT/DELETE on reviewing/.../staged/... into the canonical staging/ path). Not needed for the MVP — links in mdedit's tree work. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-09 21:37:08 -05:00
ZDDC	3115e388fc	feat(server): authenticated CRUD + verb-based RBAC with WORM archive folders Replaces the binary acl.allow/deny model with five permission verbs (r/w/c/d/a) and first-class roles, and adds an authenticated file API (PUT/DELETE/POST move/mkdir) so the HTML tools can edit-in-place over HTTP. Closes the AC-3(7) and AC-6 federal-readiness gaps. File API (zddc/internal/handler/fileapi.go) - PUT <new> → action c - PUT <existing> → action w - PUT <.zddc> → action a (CanEditZddc strict-ancestor rule) - DELETE → action d - POST mkdir → action c (auto-writes creator-owned .zddc when the parent is Incoming/Working/Staging) - POST move → action w on src + c on dst, atomic via os.Rename - Optional If-Match for optimistic concurrency, --max-write-bytes cap, audit log emits a structured file_write event per operation. Permission model (zddc/internal/zddc/{acl,file,roles,cascade_mode}.go) - acl.permissions: { principal → verb-set } map; principals are email patterns or role names. Empty verb set is an explicit deny. - roles: { name → members } definitions, available at the level they declare and all descendants. Closer-to-leaf shadows ancestor. - Legacy acl.allow/deny still work; they fold into permissions at parse time (allow → "rwcd", deny → ""). - Cascade walks leaf→root; first level with any matching entry wins; the union of matching verb sets at that level decides. - --cascade-mode=strict adds a root→leaf ancestor-deny pre-pass so an ancestor explicit-deny is absolute (NIST AC-6). Default delegated preserves the existing commercial behavior. Special folders (zddc/internal/zddc/special.go) - Incoming / Working / Staging: mkdir auto-writes a .zddc into the new subdir granting created_by + that email rwcda directly. Same form operators write by hand; creator can edit it later to add others. - Issued / Received: server-enforced WORM split. Cascade grants inherited from above the WORM folder are masked to r only; grants placed at-or-below the WORM folder retain r,c. Operators grant write-once (cr) to the doc controller via an explicit .zddc at the Issued/Received folder. Admins exempt — only escape hatch. Browser polyfill (shared/zddc-source.js) - HttpDirectoryHandle + HttpFileHandle implement the FS Access API surface (values, getFileHandle, createWritable, removeEntry, queryPermission/requestPermission) over zddc-server's listing JSON and file API. Existing tools written against showDirectoryPicker work unchanged. - detectServerRoot() returns { handle, status }: tools auto-load on HTTP, surface a clear "no permission to list" message on 403, and fall back to the welcome screen on 0. - classifier renames take the atomic POST move path on HTTP-backed handles; mdedit and transmittal route reads/writes through the polyfill so prior FS-API code paths cover both modes. Tests - zddc/internal/zddc/{cascade_mode,roles,special,acl}_test.go cover delegated vs strict, role membership / shadowing / legacy fallback, WORM split semantics, verb-set parser round-trip. - zddc/internal/handler/fileapi_test.go now also covers role-based vendor scenarios, WORM blocking vendor & doc controller writes, explicit Issued .zddc unlocking the cr drop-box, admin bypass, auto-ownership on mkdir, and strict-mode lockouts. Docs - ARCHITECTURE.md + zddc/README.md document the verb model, role syntax, special-folder behaviors, cascade-mode flag, and full file API surface. Federal-readiness gap analysis strikes AC-3(7) and AC-6. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-05 15:58:04 -05:00

Author

SHA1

Message

Date

ZDDC

45005d164e

feat(zddc-server): reviewing/ virtual aggregator + mdedit at the URL

Implements the reviewing/ aggregator described in the saved
project memory (~/.claude/projects/-home-user-src-zddc/memory/
project_reviewing_folder_design.md). reviewing/ stays in
VirtualOnlyCanonicalNames — never materialised on disk — and is
served as a join over archive/<party>/received/, archive/<party>/
issued/, and staging/, recomputed on every read.

Two depths, both trailing-slash:

  GET <project>/reviewing/?json=1
    → array of virtual <tracking>/ entries, one per submittal in
      archive/<party>/received/ that doesn't yet have a matching
      archive/<party>/issued/ entry. Sorted by tracking. URLs stay
      under reviewing/ so the user can drill into the per-submittal
      view. ACL: per-party, filtered like fs.ListDirectory.

  GET <project>/reviewing/<tracking>/?json=1
    → array of two virtual entries, received/ + staged/, with
      canonical URLs pointing back to archive/<party>/received/...
      and staging/... respectively. staged/ is omitted when no
      response draft exists yet.

When the response moves staging/ → archive/<party>/issued/, the
entry vanishes from depth-0 on the next listing. No mutation of
the reviewing/ subtree itself; pure join, recomputed on read.

Front-end at <project>/reviewing[/<tracking>/] is mdedit (per
user request). DefaultAppAt + AppAvailableAt extended to recognise
"reviewing" as a canonical mdedit-bearing folder. The polyfill in
shared/zddc-source.js is updated to follow listing entries' explicit
url field when present (absolute or root-relative) — that's how
mdedit's tree follows the depth-1 received/ + staged/ links into
the canonical archive/staging subtrees.

Dispatcher routing in zddc-server/main.go:
  - GET <project>/reviewing/[<tracking>/] with Accept: json
    → ServeReviewing
  - GET <project>/reviewing/[<tracking>/] with Accept: html
    → mdedit (rooted at the virtual path; polyfill fetches the
      JSON listing on its own)
  - GET <project>/reviewing (no slash) → mdedit (via DefaultAppAt)
  - GET <project>/reviewing/<tracking> (no slash) → 301 to slash form

Tests:
  - handler/reviewinghandler_test.go (6 cases): IsReviewingPath
    classification + ServeReviewing depth-0/depth-1 with and without
    staged drafts + 404 on unknown tracking + empty when archive/ is
    absent.
  - apps/availability_test.go updated: reviewing/ now expects mdedit
    rather than "" (no default).
  - cmd/zddc-server/main_test.go: TestDispatchEmptyCanonicalProjectFolders
    extended to assert reviewing → mdedit at the no-slash form;
    older "no-slash/reviewing → 301" test removed.

Future work (not in this commit): write translation. Editing a file
under reviewing/<tracking>/staged/<f>.md works today because the
polyfill rewrites to /<project>/staging/<response>/<f>.md before
fetching — the user's URL bar moves to the canonical path on click.
A virtual-filesystem mode where the URL bar stays under reviewing/
throughout would require server-side write rewriting (translate
PUT/DELETE on reviewing/.../staged/... into the canonical staging/
path). Not needed for the MVP — links in mdedit's tree work.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-09 21:37:08 -05:00

ZDDC

3115e388fc

feat(server): authenticated CRUD + verb-based RBAC with WORM archive folders

Replaces the binary acl.allow/deny model with five permission verbs
(r/w/c/d/a) and first-class roles, and adds an authenticated file API
(PUT/DELETE/POST move/mkdir) so the HTML tools can edit-in-place over
HTTP. Closes the AC-3(7) and AC-6 federal-readiness gaps.

File API (zddc/internal/handler/fileapi.go)
  - PUT <new>      → action c
  - PUT <existing> → action w
  - PUT <.zddc>    → action a (CanEditZddc strict-ancestor rule)
  - DELETE         → action d
  - POST mkdir     → action c (auto-writes creator-owned .zddc when the
                     parent is Incoming/Working/Staging)
  - POST move      → action w on src + c on dst, atomic via os.Rename
  - Optional If-Match for optimistic concurrency, --max-write-bytes cap,
    audit log emits a structured file_write event per operation.

Permission model (zddc/internal/zddc/{acl,file,roles,cascade_mode}.go)
  - acl.permissions: { principal → verb-set } map; principals are email
    patterns or role names. Empty verb set is an explicit deny.
  - roles: { name → members } definitions, available at the level they
    declare and all descendants. Closer-to-leaf shadows ancestor.
  - Legacy acl.allow/deny still work; they fold into permissions at
    parse time (allow → "rwcd", deny → "").
  - Cascade walks leaf→root; first level with any matching entry wins;
    the union of matching verb sets at that level decides.
  - --cascade-mode=strict adds a root→leaf ancestor-deny pre-pass so an
    ancestor explicit-deny is absolute (NIST AC-6). Default delegated
    preserves the existing commercial behavior.

Special folders (zddc/internal/zddc/special.go)
  - Incoming / Working / Staging: mkdir auto-writes a .zddc into the new
    subdir granting created_by + that email rwcda directly. Same form
    operators write by hand; creator can edit it later to add others.
  - Issued / Received: server-enforced WORM split. Cascade grants
    inherited from above the WORM folder are masked to r only; grants
    placed at-or-below the WORM folder retain r,c. Operators grant
    write-once (cr) to the doc controller via an explicit .zddc at the
    Issued/Received folder. Admins exempt — only escape hatch.

Browser polyfill (shared/zddc-source.js)
  - HttpDirectoryHandle + HttpFileHandle implement the FS Access API
    surface (values, getFileHandle, createWritable, removeEntry,
    queryPermission/requestPermission) over zddc-server's listing JSON
    and file API. Existing tools written against showDirectoryPicker
    work unchanged.
  - detectServerRoot() returns { handle, status }: tools auto-load on
    HTTP, surface a clear "no permission to list" message on 403, and
    fall back to the welcome screen on 0.
  - classifier renames take the atomic POST move path on HTTP-backed
    handles; mdedit and transmittal route reads/writes through the
    polyfill so prior FS-API code paths cover both modes.

Tests
  - zddc/internal/zddc/{cascade_mode,roles,special,acl}_test.go cover
    delegated vs strict, role membership / shadowing / legacy fallback,
    WORM split semantics, verb-set parser round-trip.
  - zddc/internal/handler/fileapi_test.go now also covers role-based
    vendor scenarios, WORM blocking vendor & doc controller writes,
    explicit Issued .zddc unlocking the cr drop-box, admin bypass,
    auto-ownership on mkdir, and strict-mode lockouts.

Docs
  - ARCHITECTURE.md + zddc/README.md document the verb model, role
    syntax, special-folder behaviors, cascade-mode flag, and full file
    API surface. Federal-readiness gap analysis strikes AC-3(7) and
    AC-6.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-05 15:58:04 -05:00

2 commits