VARASYS/ZDDC - Forgejo: Beyond coding. We forge.

VARASYS/ZDDC

Fork 0

Commit graph

Author	SHA1	Message	Date
ZDDC	1e0e403f1e	feat(zddc): retire defaults.zddc.yaml; .zddc.zip is the policy carrier (phase 6) Completes the migration. The embedded per-depth tree (internal/zddc/defaults/) is now the sole source of the shipped baseline; defaults.zddc.yaml is deleted. - EmbeddedDefaults() assembles the tree (no yaml). show-defaults now emits a .zddc.zip (per-depth, "*" wildcard members) via EmbeddedDefaultsZip() — operators redirect it to <ROOT>/.zddc.zip (or any directory) and edit/add/ delete individual members. - Dropped EmbeddedDefaultsBytes; reworked the dumpable test to validate the emitted zip; removed the now-redundant tree-vs-yaml oracle (the Layer-2 matrix is the ongoing behavioral guarantee, and it stays green). - Swept stale "defaults.zddc.yaml" comment references to the embedded tree. - GRAMMAR.md §1/§6 updated: .zddc.zip is a policy bundle mountable at ANY directory (subtree mount; inherit:false + acl.inherit:false = island); the shipped baseline is the embedded bundle at the root. Net of the 6-phase migration: policy is per-depth .zddc files in a .zddc.zip that an operator can drop at any level to override the cascade; the engine (Assemble + the unchanged walker) enforces it. Full Go suite + matrix green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-05 11:35:21 -05:00
ZDDC	bae8e1f79b	test(policy): Layer-2 default-policy matrix — role × path × verb truth table The executable contract for the shipped defaults (internal/zddc/defaults.zddc.yaml): ~38 cells asserting who-can-do-what across the canonical project folders, routed through the real decider (InternalDecider: cascade + WORM mask + active-admin bypass) evaluated at the target's logical parent — the same decision the server makes. Locks the document-control model so a change to the defaults OR the engine that resolves them can't silently shift access. Storage-agnostic: if the defaults later move into a project-root .zddc.zip of per-depth .zddc files, the test is unchanged (it asserts effective policy, not where the bytes live). Covers: no-create-at-project-root; DC/team/observer per-peer grants (working/ staging/reviewing/incoming/ssr); team rwc on mdl/rsk; archive WORM (DC create-once, no write/delete; others read); elevated-admin bypass vs un-elevated no-bypass; anonymous denied. Complements Layer 1 (engine-follows-policy): policy.TestInternalDecider_CascadeScenarios + zddc/{acl,roles,worm}_test + policy/parity_test. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-05 10:01:29 -05:00

Author

SHA1

Message

Date

ZDDC

1e0e403f1e

feat(zddc): retire defaults.zddc.yaml; .zddc.zip is the policy carrier (phase 6)

Completes the migration. The embedded per-depth tree (internal/zddc/defaults/)
is now the sole source of the shipped baseline; defaults.zddc.yaml is deleted.

  - EmbeddedDefaults() assembles the tree (no yaml). show-defaults now emits a
    .zddc.zip (per-depth, "*" wildcard members) via EmbeddedDefaultsZip() —
    operators redirect it to <ROOT>/.zddc.zip (or any directory) and edit/add/
    delete individual members.
  - Dropped EmbeddedDefaultsBytes; reworked the dumpable test to validate the
    emitted zip; removed the now-redundant tree-vs-yaml oracle (the Layer-2
    matrix is the ongoing behavioral guarantee, and it stays green).
  - Swept stale "defaults.zddc.yaml" comment references to the embedded tree.
  - GRAMMAR.md §1/§6 updated: .zddc.zip is a policy bundle mountable at ANY
    directory (subtree mount; inherit:false + acl.inherit:false = island); the
    shipped baseline is the embedded bundle at the root.

Net of the 6-phase migration: policy is per-depth .zddc files in a .zddc.zip
that an operator can drop at any level to override the cascade; the engine
(Assemble + the unchanged walker) enforces it. Full Go suite + matrix green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-05 11:35:21 -05:00

ZDDC

bae8e1f79b

test(policy): Layer-2 default-policy matrix — role × path × verb truth table

The executable contract for the shipped defaults (internal/zddc/defaults.zddc.yaml):
~38 cells asserting who-can-do-what across the canonical project folders, routed
through the real decider (InternalDecider: cascade + WORM mask + active-admin
bypass) evaluated at the target's logical parent — the same decision the server
makes. Locks the document-control model so a change to the defaults OR the
engine that resolves them can't silently shift access. Storage-agnostic: if the
defaults later move into a project-root .zddc.zip of per-depth .zddc files, the
test is unchanged (it asserts effective policy, not where the bytes live).

Covers: no-create-at-project-root; DC/team/observer per-peer grants (working/
staging/reviewing/incoming/ssr); team rwc on mdl/rsk; archive WORM (DC
create-once, no write/delete; others read); elevated-admin bypass vs un-elevated
no-bypass; anonymous denied. Complements Layer 1 (engine-follows-policy):
policy.TestInternalDecider_CascadeScenarios + zddc/{acl,roles,worm}_test +
policy/parity_test.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-05 10:01:29 -05:00

2 commits