VARASYS/ZDDC - Forgejo: Beyond coding. We forge.

VARASYS/ZDDC

Fork 0

Commit graph

Author	SHA1	Message	Date
ZDDC	e911806eda	feat(server): pluggable OPA-compatible policy decider Add an internal access-decision boundary that all handlers go through instead of calling zddc.AllowedWithChain directly. Two implementations ship: * InternalDecider — wraps the existing zddc.AllowedWithChain. The default. No new dependencies, identical semantics to the legacy code path. ZDDC_OPA_URL=internal (or unset). * HTTPDecider — POSTs the canonical OPA wire format (POST /v1/data/zddc/access/allow with {"input": {...}}, response {"result": true\|false}) over HTTP, HTTPS, or a Unix-domain socket. For federal customers running their own audited Rego policies alongside zddc-server. ZDDC_OPA_URL=http(s)://… or unix:///…. External-mode failure semantics: unreachable / non-2xx / malformed response → fail closed (deny) by default with a WARN log. Operators who prefer availability over correctness flip with ZDDC_OPA_FAIL_OPEN=1. The decider is constructed once at startup, plumbed through ACLMiddleware into the request context. Handlers retrieve it via DeciderFromContext; non-request callers (fs.ListDirectory, EnumerateProjects, enumerateAccess) take it as an explicit parameter. zddc.ZddcFile and zddc.ACLRules gain JSON tags so external Rego authors get idiomatic input shape (acl.allow, admins, …) instead of Go field names (ACL.Allow, Admins, …). Test coverage: * InternalDecider parity tests against zddc.AllowedWithChain (every documented cascade scenario: empty chain, leaf-allow-wins, leaf- deny-beats-parent, leaf-allows-what-parent-denies, deepest-match- wins, etc.) * HTTPDecider happy-path test (canonical wire format) * Fail-closed / fail-open / malformed-response tests Production binary size unchanged (no new deps; HTTP transport is stdlib net/http). 11 ACL call sites migrated. End-to-end verified against the worked-example layout in zddc/README.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-04 17:45:07 -05:00
ZDDC	a02a26d3c2	feat: form-data system v0 (sixth tool + zddc-server endpoints) All checks were successful Build + deploy releases / build-and-deploy (push) Successful in 8s Details Schema-driven form renderer plus zddc-server endpoints that turn any <name>.form.yaml into a working data-collection form at <path>/<name>.form.html. Submissions land in <path>/<name>/<YYYY-MM-DD>-<email-sanitized>.yaml, ACL-gated by the existing .zddc cascade. The form posts back to its own URL; the server strips ".html" and routes by what's underneath, so create and update use the same client-side code path. Form spec dialect: JSON Schema 2020-12 + RJSF-style ui:* hints, written in YAML. Chosen for LLM authorability — it's the canonical structured-output target for OpenAI/Anthropic, and the ui:* convention is the most-trained UI hint vocabulary. Supported subset for v0: type (string/number/integer/boolean/ array/object), enum, min/max, minLength/maxLength, required, additionalProperties: false, properties, items, format (date, email). Round-trip mode is form-as-truth: submission YAML is regenerated each save, comments are not preserved (the v1 file-as-truth mode for hand-edited files like .zddc itself is deferred). New components: * form/ — sixth single-file HTML tool, vanilla JS renderer (~760 LoC) * zddc/internal/jsonschema/ — focused JSON Schema validator covering only the v0 keyword subset. Match-implementation-cost-to-surface-used: a full library brings 70%+ surface we don't use; revisit when v1 adds $ref + oneOf + if/then/else. * zddc/internal/handler/formhandler.go — RecognizeFormRequest / ServeForm, capability-URL re-edit, atomic submission writes via the new zddc.WriteAtomic helper extracted from writer.go. * dispatch() in zddc-server/main.go now intercepts .form.html and .yaml.html before the static-file path; spec existence is the trigger. Build pipeline: form joins ZDDC_RELEASE_TOOLS in lockstep, gets its own embedded copy in handler/form.html (separate from the apps cascade — the form renderer is fixed, not subject to per-folder version overrides). Tests: 5 new Playwright specs (form-safety) + 14 new Go tests across the validator and handler. All 172 Playwright tests + 10 Go packages green. End-to-end manual verification: GET empty → POST 201 + capability URL → GET re-edit (pre-filled) → POST update → 200, raw YAML browsable, ACL deny → 403. Docs: form/ section added to AGENTS.md and ARCHITECTURE.md. AGENTS.md also documents the implementation-vs-dependency policy. CLAUDE.md repo-shape list extended. Deferred (v1+): .zddc editor migration onto this system, file-as-truth lossless YAML round-trip, ui:show-when conditional visibility, oneOf/anyOf, apps-cascade preview hook, cascade-fetched form definitions. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-02 20:12:16 -05:00

Author

SHA1

Message

Date

ZDDC

e911806eda

feat(server): pluggable OPA-compatible policy decider

Add an internal access-decision boundary that all handlers go through
instead of calling zddc.AllowedWithChain directly. Two implementations
ship:

  * InternalDecider — wraps the existing zddc.AllowedWithChain. The
    default. No new dependencies, identical semantics to the legacy
    code path. ZDDC_OPA_URL=internal (or unset).

  * HTTPDecider — POSTs the canonical OPA wire format
    (POST /v1/data/zddc/access/allow with {"input": {...}}, response
    {"result": true|false}) over HTTP, HTTPS, or a Unix-domain socket.
    For federal customers running their own audited Rego policies
    alongside zddc-server. ZDDC_OPA_URL=http(s)://… or unix:///….

External-mode failure semantics: unreachable / non-2xx / malformed
response → fail closed (deny) by default with a WARN log. Operators
who prefer availability over correctness flip with ZDDC_OPA_FAIL_OPEN=1.

The decider is constructed once at startup, plumbed through ACLMiddleware
into the request context. Handlers retrieve it via DeciderFromContext;
non-request callers (fs.ListDirectory, EnumerateProjects, enumerateAccess)
take it as an explicit parameter.

zddc.ZddcFile and zddc.ACLRules gain JSON tags so external Rego authors
get idiomatic input shape (acl.allow, admins, …) instead of Go field
names (ACL.Allow, Admins, …).

Test coverage:
  * InternalDecider parity tests against zddc.AllowedWithChain (every
    documented cascade scenario: empty chain, leaf-allow-wins, leaf-
    deny-beats-parent, leaf-allows-what-parent-denies, deepest-match-
    wins, etc.)
  * HTTPDecider happy-path test (canonical wire format)
  * Fail-closed / fail-open / malformed-response tests

Production binary size unchanged (no new deps; HTTP transport is
stdlib net/http). 11 ACL call sites migrated. End-to-end verified
against the worked-example layout in zddc/README.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-04 17:45:07 -05:00

ZDDC

a02a26d3c2

feat: form-data system v0 (sixth tool + zddc-server endpoints)

Build + deploy releases / build-and-deploy (push) Successful in 8s

Details

Schema-driven form renderer plus zddc-server endpoints that turn any
<name>.form.yaml into a working data-collection form at <path>/<name>.form.html.
Submissions land in <path>/<name>/<YYYY-MM-DD>-<email-sanitized>.yaml,
ACL-gated by the existing .zddc cascade. The form posts back to its own URL;
the server strips ".html" and routes by what's underneath, so create and
update use the same client-side code path.

Form spec dialect: JSON Schema 2020-12 + RJSF-style ui:* hints, written in
YAML. Chosen for LLM authorability — it's the canonical structured-output
target for OpenAI/Anthropic, and the ui:* convention is the most-trained UI
hint vocabulary. Supported subset for v0: type (string/number/integer/boolean/
array/object), enum, min/max, minLength/maxLength, required, additionalProperties:
false, properties, items, format (date, email). Round-trip mode is form-as-truth:
submission YAML is regenerated each save, comments are not preserved (the v1
file-as-truth mode for hand-edited files like .zddc itself is deferred).

New components:
  * form/ — sixth single-file HTML tool, vanilla JS renderer (~760 LoC)
  * zddc/internal/jsonschema/ — focused JSON Schema validator covering only
    the v0 keyword subset. Match-implementation-cost-to-surface-used: a full
    library brings 70%+ surface we don't use; revisit when v1 adds $ref +
    oneOf + if/then/else.
  * zddc/internal/handler/formhandler.go — RecognizeFormRequest / ServeForm,
    capability-URL re-edit, atomic submission writes via the new
    zddc.WriteAtomic helper extracted from writer.go.
  * dispatch() in zddc-server/main.go now intercepts *.form.html and
    *.yaml.html before the static-file path; spec existence is the trigger.

Build pipeline: form joins ZDDC_RELEASE_TOOLS in lockstep, gets its own
embedded copy in handler/form.html (separate from the apps cascade —
the form renderer is fixed, not subject to per-folder version overrides).

Tests: 5 new Playwright specs (form-safety) + 14 new Go tests across the
validator and handler. All 172 Playwright tests + 10 Go packages green.
End-to-end manual verification: GET empty → POST 201 + capability URL →
GET re-edit (pre-filled) → POST update → 200, raw YAML browsable, ACL
deny → 403.

Docs: form/ section added to AGENTS.md and ARCHITECTURE.md. AGENTS.md
also documents the implementation-vs-dependency policy. CLAUDE.md repo-shape
list extended.

Deferred (v1+): .zddc editor migration onto this system, file-as-truth
lossless YAML round-trip, ui:show-when conditional visibility, oneOf/anyOf,
apps-cascade preview hook, cascade-fetched form definitions.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-02 20:12:16 -05:00

2 commits