VARASYS/ZDDC - Forgejo: Beyond coding. We forge.

VARASYS/ZDDC

Fork 0

Commit graph

Author	SHA1	Message	Date
ZDDC	3115e388fc	feat(server): authenticated CRUD + verb-based RBAC with WORM archive folders Replaces the binary acl.allow/deny model with five permission verbs (r/w/c/d/a) and first-class roles, and adds an authenticated file API (PUT/DELETE/POST move/mkdir) so the HTML tools can edit-in-place over HTTP. Closes the AC-3(7) and AC-6 federal-readiness gaps. File API (zddc/internal/handler/fileapi.go) - PUT <new> → action c - PUT <existing> → action w - PUT <.zddc> → action a (CanEditZddc strict-ancestor rule) - DELETE → action d - POST mkdir → action c (auto-writes creator-owned .zddc when the parent is Incoming/Working/Staging) - POST move → action w on src + c on dst, atomic via os.Rename - Optional If-Match for optimistic concurrency, --max-write-bytes cap, audit log emits a structured file_write event per operation. Permission model (zddc/internal/zddc/{acl,file,roles,cascade_mode}.go) - acl.permissions: { principal → verb-set } map; principals are email patterns or role names. Empty verb set is an explicit deny. - roles: { name → members } definitions, available at the level they declare and all descendants. Closer-to-leaf shadows ancestor. - Legacy acl.allow/deny still work; they fold into permissions at parse time (allow → "rwcd", deny → ""). - Cascade walks leaf→root; first level with any matching entry wins; the union of matching verb sets at that level decides. - --cascade-mode=strict adds a root→leaf ancestor-deny pre-pass so an ancestor explicit-deny is absolute (NIST AC-6). Default delegated preserves the existing commercial behavior. Special folders (zddc/internal/zddc/special.go) - Incoming / Working / Staging: mkdir auto-writes a .zddc into the new subdir granting created_by + that email rwcda directly. Same form operators write by hand; creator can edit it later to add others. - Issued / Received: server-enforced WORM split. Cascade grants inherited from above the WORM folder are masked to r only; grants placed at-or-below the WORM folder retain r,c. Operators grant write-once (cr) to the doc controller via an explicit .zddc at the Issued/Received folder. Admins exempt — only escape hatch. Browser polyfill (shared/zddc-source.js) - HttpDirectoryHandle + HttpFileHandle implement the FS Access API surface (values, getFileHandle, createWritable, removeEntry, queryPermission/requestPermission) over zddc-server's listing JSON and file API. Existing tools written against showDirectoryPicker work unchanged. - detectServerRoot() returns { handle, status }: tools auto-load on HTTP, surface a clear "no permission to list" message on 403, and fall back to the welcome screen on 0. - classifier renames take the atomic POST move path on HTTP-backed handles; mdedit and transmittal route reads/writes through the polyfill so prior FS-API code paths cover both modes. Tests - zddc/internal/zddc/{cascade_mode,roles,special,acl}_test.go cover delegated vs strict, role membership / shadowing / legacy fallback, WORM split semantics, verb-set parser round-trip. - zddc/internal/handler/fileapi_test.go now also covers role-based vendor scenarios, WORM blocking vendor & doc controller writes, explicit Issued .zddc unlocking the cr drop-box, admin bypass, auto-ownership on mkdir, and strict-mode lockouts. Docs - ARCHITECTURE.md + zddc/README.md document the verb model, role syntax, special-folder behaviors, cascade-mode flag, and full file API surface. Federal-readiness gap analysis strikes AC-3(7) and AC-6. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-05 15:58:04 -05:00
ZDDC	fb13ff4fd8	feat(browse): generic directory listing tool — default at folder URLs All checks were successful Notify chart dev on beta cut / notify-chart-dev (push) Successful in 5s Details A new HTML tool — browse — that lists the contents of any directory. Designed for ZDDC archives but no ZDDC-specific filtering; just a straight folder browser with expand/collapse, sort, and name filter. Modes (auto-detected at page load): - Online: when served by zddc-server at a folder URL, queries the same URL with Accept: application/json to load the listing and renders it. Auto-served as the default at any directory under ZDDC_ROOT without an index.html (replacing the previous minimal-HTML stub from directory.go). - Local: 'Select Directory' button uses FileSystemAccessAPI to pick any folder on disk; works in Chromium-based browsers. Features (Phase 1 — what's in this commit): - Tree view with lazy-loaded folders (children fetched on first expand). - Sort by name / size / extension / date (column header click). - Filter by name substring (toolbar input). - File click opens in a new tab — for server-backed pages, routes through zddc-server's normal handler so .archive redirects + apps cascade overrides + ACL all apply. Phase 2 deferred: - ZIP files inline expansion (treat archive entries as virtual children). - File preview popup (reuse shared/preview-lib.js). - Extension multi-select filter. Wiring: - browse/ added to top-level ./build's per-tool list, embed block, versions.txt, and the lockstep release commit + tag set. All seven tools (archive, transmittal, classifier, mdedit, landing, form, browse) advance together on stable cuts. - shared/build-lib.sh: browse added to ZDDC_RELEASE_TOOLS and verify_channel_links's per-tool loop. - zddc/internal/apps/embed.go: //go:embed browse.html + EmbeddedBytes("browse") case. - zddc/internal/apps/availability.go: browse available at every directory (same as archive). - zddc/internal/apps/handler.go: MatchAppHTML routes /<dir>/browse.html → 'browse'. - zddc/internal/handler/directory.go: when a directory request arrives with Accept: text/html and no index.html exists, serve the embedded browse.html bytes (with a JSON-fallback if the embedded slot is empty during bootstrap).	2026-05-03 19:56:51 -05:00
ZDDC	8b6a2dc3e3	feat(zddc-server): apps fetch+cache subsystem with cascade overrides Adds internal/apps/ package serving the five tool HTMLs at virtual paths based on the surrounding folder name convention: archive every directory (multi-project, project, archive, vendor) classifier any Incoming/Working/Staging directory and subtree mdedit any Working directory and subtree transmittal any Staging directory and subtree landing only at deployment root The current-stable build of every tool is //go:embed'd into the binary at compile time — that's the default with zero config. Operators override per-directory via .zddc apps: entries; closer-to-leaf wins. Spec syntax (in any apps: value): stable / beta / alpha / :stable channel v0.0.4 / v0.0 / v0 / :v0.0.4 version https://my-mirror/releases URL prefix only https://my-mirror/releases:beta URL prefix + channel https://my-fork/archive.html terminal full URL ./local.html / /abs/path.html terminal local path The special apps.default key provides a baseline URL prefix and channel inherited by any app not overridden per-name. Per-axis cascade: a deeper .zddc can override the URL, the channel, or both. Cascade walks root→leaf; default applies first at each level, then the per-app entry. Terminal sources (paths and full .html URLs) short-circuit composition; deeper non-terminal entries override parent terminals. URL sources fetch once on first request and cache forever in <ZDDC_ROOT>/_app/<host>/<path> — different upstreams with the same filename stay distinct. No background refresh, no SHA-256 verification: operators delete the cache file to force a refetch. Concurrent misses for the same source dedupe via a 30-line hand-rolled singleflight. Per-request override: any user can append ?v=<spec> to a tool URL (e.g. ?v=beta, ?v=v0.0.4, ?v=:alpha, ?v=https://mirror/releases:beta) to ask for a different build for one request. Security: ?v= serves ONLY versions already in the cache (cache miss returns 404; path sources are rejected outright with 400). Users cannot trigger arbitrary upstream fetches via crafted URLs. Failed URL fetches (network down, 5xx) fall back to embedded with a one-time WARN log. The X-ZDDC-Source response header reports what served: fetch:URL / cache:URL / path:/abs / embedded:<app>@<build>. Wire-in (cmd/zddc-server/main.go): dispatch routes <dir>/<app>.html through apps.MatchAppHTML + AppAvailableAt + apps.Server.Serve when no real file exists. Direct URL access to /_app/... is blocked at the dispatch layer — cached files must go through the apps resolver so they get correct Content-Type and ACL gating. Schema (internal/zddc/file.go): ZddcFile gains Apps map[string]string for cascade overrides. Validator (internal/zddc/validate.go) accepts the special "default" key alongside the five canonical app names and all spec forms. Removes ZDDC_APPS_* env vars (no admin UI, no refresh interval, no upstream allow-list — the simpler model has fewer knobs). 40+ unit tests across the new package: parser shapes, cascade resolution with default+per-app interactions, terminal short-circuit semantics, ?v= cache-only enforcement, embedded fallback, atomic cache writes, singleflight dedup. Plus end-to-end dispatch tests in cmd/zddc-server/main_test.go. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 15:25:25 -05:00

Author

SHA1

Message

Date

ZDDC

3115e388fc

feat(server): authenticated CRUD + verb-based RBAC with WORM archive folders

Replaces the binary acl.allow/deny model with five permission verbs
(r/w/c/d/a) and first-class roles, and adds an authenticated file API
(PUT/DELETE/POST move/mkdir) so the HTML tools can edit-in-place over
HTTP. Closes the AC-3(7) and AC-6 federal-readiness gaps.

File API (zddc/internal/handler/fileapi.go)
  - PUT <new>      → action c
  - PUT <existing> → action w
  - PUT <.zddc>    → action a (CanEditZddc strict-ancestor rule)
  - DELETE         → action d
  - POST mkdir     → action c (auto-writes creator-owned .zddc when the
                     parent is Incoming/Working/Staging)
  - POST move      → action w on src + c on dst, atomic via os.Rename
  - Optional If-Match for optimistic concurrency, --max-write-bytes cap,
    audit log emits a structured file_write event per operation.

Permission model (zddc/internal/zddc/{acl,file,roles,cascade_mode}.go)
  - acl.permissions: { principal → verb-set } map; principals are email
    patterns or role names. Empty verb set is an explicit deny.
  - roles: { name → members } definitions, available at the level they
    declare and all descendants. Closer-to-leaf shadows ancestor.
  - Legacy acl.allow/deny still work; they fold into permissions at
    parse time (allow → "rwcd", deny → "").
  - Cascade walks leaf→root; first level with any matching entry wins;
    the union of matching verb sets at that level decides.
  - --cascade-mode=strict adds a root→leaf ancestor-deny pre-pass so an
    ancestor explicit-deny is absolute (NIST AC-6). Default delegated
    preserves the existing commercial behavior.

Special folders (zddc/internal/zddc/special.go)
  - Incoming / Working / Staging: mkdir auto-writes a .zddc into the new
    subdir granting created_by + that email rwcda directly. Same form
    operators write by hand; creator can edit it later to add others.
  - Issued / Received: server-enforced WORM split. Cascade grants
    inherited from above the WORM folder are masked to r only; grants
    placed at-or-below the WORM folder retain r,c. Operators grant
    write-once (cr) to the doc controller via an explicit .zddc at the
    Issued/Received folder. Admins exempt — only escape hatch.

Browser polyfill (shared/zddc-source.js)
  - HttpDirectoryHandle + HttpFileHandle implement the FS Access API
    surface (values, getFileHandle, createWritable, removeEntry,
    queryPermission/requestPermission) over zddc-server's listing JSON
    and file API. Existing tools written against showDirectoryPicker
    work unchanged.
  - detectServerRoot() returns { handle, status }: tools auto-load on
    HTTP, surface a clear "no permission to list" message on 403, and
    fall back to the welcome screen on 0.
  - classifier renames take the atomic POST move path on HTTP-backed
    handles; mdedit and transmittal route reads/writes through the
    polyfill so prior FS-API code paths cover both modes.

Tests
  - zddc/internal/zddc/{cascade_mode,roles,special,acl}_test.go cover
    delegated vs strict, role membership / shadowing / legacy fallback,
    WORM split semantics, verb-set parser round-trip.
  - zddc/internal/handler/fileapi_test.go now also covers role-based
    vendor scenarios, WORM blocking vendor & doc controller writes,
    explicit Issued .zddc unlocking the cr drop-box, admin bypass,
    auto-ownership on mkdir, and strict-mode lockouts.

Docs
  - ARCHITECTURE.md + zddc/README.md document the verb model, role
    syntax, special-folder behaviors, cascade-mode flag, and full file
    API surface. Federal-readiness gap analysis strikes AC-3(7) and
    AC-6.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-05 15:58:04 -05:00

ZDDC

fb13ff4fd8

feat(browse): generic directory listing tool — default at folder URLs

Notify chart dev on beta cut / notify-chart-dev (push) Successful in 5s

Details

A new HTML tool — browse — that lists the contents of any directory.
Designed for ZDDC archives but no ZDDC-specific filtering; just a
straight folder browser with expand/collapse, sort, and name filter.

Modes (auto-detected at page load):
  - Online: when served by zddc-server at a folder URL, queries
    the same URL with Accept: application/json to load the listing
    and renders it. Auto-served as the default at any directory
    under ZDDC_ROOT without an index.html (replacing the previous
    minimal-HTML stub from directory.go).
  - Local: 'Select Directory' button uses FileSystemAccessAPI to
    pick any folder on disk; works in Chromium-based browsers.

Features (Phase 1 — what's in this commit):
  - Tree view with lazy-loaded folders (children fetched on first
    expand).
  - Sort by name / size / extension / date (column header click).
  - Filter by name substring (toolbar input).
  - File click opens in a new tab — for server-backed pages,
    routes through zddc-server's normal handler so .archive
    redirects + apps cascade overrides + ACL all apply.

Phase 2 deferred:
  - ZIP files inline expansion (treat archive entries as virtual
    children).
  - File preview popup (reuse shared/preview-lib.js).
  - Extension multi-select filter.

Wiring:
  - browse/ added to top-level ./build's per-tool list, embed
    block, versions.txt, and the lockstep release commit + tag set.
    All seven tools (archive, transmittal, classifier, mdedit,
    landing, form, browse) advance together on stable cuts.
  - shared/build-lib.sh: browse added to ZDDC_RELEASE_TOOLS and
    verify_channel_links's per-tool loop.
  - zddc/internal/apps/embed.go: //go:embed browse.html +
    EmbeddedBytes("browse") case.
  - zddc/internal/apps/availability.go: browse available at every
    directory (same as archive).
  - zddc/internal/apps/handler.go: MatchAppHTML routes
    /<dir>/browse.html → 'browse'.
  - zddc/internal/handler/directory.go: when a directory request
    arrives with Accept: text/html and no index.html exists,
    serve the embedded browse.html bytes (with a JSON-fallback
    if the embedded slot is empty during bootstrap).

2026-05-03 19:56:51 -05:00

ZDDC

8b6a2dc3e3

feat(zddc-server): apps fetch+cache subsystem with cascade overrides

Adds internal/apps/ package serving the five tool HTMLs at virtual paths
based on the surrounding folder name convention:

  archive      every directory (multi-project, project, archive, vendor)
  classifier   any Incoming/Working/Staging directory and subtree
  mdedit       any Working directory and subtree
  transmittal  any Staging directory and subtree
  landing      only at deployment root

The current-stable build of every tool is //go:embed'd into the binary
at compile time — that's the default with zero config. Operators
override per-directory via .zddc apps: entries; closer-to-leaf wins.

Spec syntax (in any apps: value):

  stable / beta / alpha / :stable          channel
  v0.0.4 / v0.0 / v0 / :v0.0.4              version
  https://my-mirror/releases                URL prefix only
  https://my-mirror/releases:beta           URL prefix + channel
  https://my-fork/archive.html              terminal full URL
  ./local.html / /abs/path.html             terminal local path

The special apps.default key provides a baseline URL prefix and channel
inherited by any app not overridden per-name. Per-axis cascade: a deeper
.zddc can override the URL, the channel, or both.

Cascade walks root→leaf; default applies first at each level, then the
per-app entry. Terminal sources (paths and full .html URLs) short-circuit
composition; deeper non-terminal entries override parent terminals.

URL sources fetch once on first request and cache forever in
<ZDDC_ROOT>/_app/<host>/<path> — different upstreams with the same
filename stay distinct. No background refresh, no SHA-256 verification:
operators delete the cache file to force a refetch. Concurrent misses
for the same source dedupe via a 30-line hand-rolled singleflight.

Per-request override: any user can append ?v=<spec> to a tool URL
(e.g. ?v=beta, ?v=v0.0.4, ?v=:alpha, ?v=https://mirror/releases:beta)
to ask for a different build for one request. Security: ?v= serves
ONLY versions already in the cache (cache miss returns 404; path
sources are rejected outright with 400). Users cannot trigger
arbitrary upstream fetches via crafted URLs.

Failed URL fetches (network down, 5xx) fall back to embedded with a
one-time WARN log. The X-ZDDC-Source response header reports what
served: fetch:URL / cache:URL / path:/abs / embedded:<app>@<build>.

Wire-in (cmd/zddc-server/main.go): dispatch routes <dir>/<app>.html
through apps.MatchAppHTML + AppAvailableAt + apps.Server.Serve when
no real file exists. Direct URL access to /_app/... is blocked at
the dispatch layer — cached files must go through the apps resolver
so they get correct Content-Type and ACL gating.

Schema (internal/zddc/file.go): ZddcFile gains Apps map[string]string
for cascade overrides. Validator (internal/zddc/validate.go) accepts
the special "default" key alongside the five canonical app names and
all spec forms.

Removes ZDDC_APPS_* env vars (no admin UI, no refresh interval, no
upstream allow-list — the simpler model has fewer knobs).

40+ unit tests across the new package: parser shapes, cascade
resolution with default+per-app interactions, terminal short-circuit
semantics, ?v= cache-only enforcement, embedded fallback, atomic
cache writes, singleflight dedup. Plus end-to-end dispatch tests in
cmd/zddc-server/main_test.go.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-01 15:25:25 -05:00

3 commits