VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZDDC/transmittal/build.sh
ZDDC 3115e388fc feat(server): authenticated CRUD + verb-based RBAC with WORM archive folders 
Replaces the binary acl.allow/deny model with five permission verbs
(r/w/c/d/a) and first-class roles, and adds an authenticated file API
(PUT/DELETE/POST move/mkdir) so the HTML tools can edit-in-place over
HTTP. Closes the AC-3(7) and AC-6 federal-readiness gaps.

File API (zddc/internal/handler/fileapi.go)
  - PUT <new>      → action c
  - PUT <existing> → action w
  - PUT <.zddc>    → action a (CanEditZddc strict-ancestor rule)
  - DELETE         → action d
  - POST mkdir     → action c (auto-writes creator-owned .zddc when the
                     parent is Incoming/Working/Staging)
  - POST move      → action w on src + c on dst, atomic via os.Rename
  - Optional If-Match for optimistic concurrency, --max-write-bytes cap,
    audit log emits a structured file_write event per operation.

Permission model (zddc/internal/zddc/{acl,file,roles,cascade_mode}.go)
  - acl.permissions: { principal → verb-set } map; principals are email
    patterns or role names. Empty verb set is an explicit deny.
  - roles: { name → members } definitions, available at the level they
    declare and all descendants. Closer-to-leaf shadows ancestor.
  - Legacy acl.allow/deny still work; they fold into permissions at
    parse time (allow → "rwcd", deny → "").
  - Cascade walks leaf→root; first level with any matching entry wins;
    the union of matching verb sets at that level decides.
  - --cascade-mode=strict adds a root→leaf ancestor-deny pre-pass so an
    ancestor explicit-deny is absolute (NIST AC-6). Default delegated
    preserves the existing commercial behavior.

Special folders (zddc/internal/zddc/special.go)
  - Incoming / Working / Staging: mkdir auto-writes a .zddc into the new
    subdir granting created_by + that email rwcda directly. Same form
    operators write by hand; creator can edit it later to add others.
  - Issued / Received: server-enforced WORM split. Cascade grants
    inherited from above the WORM folder are masked to r only; grants
    placed at-or-below the WORM folder retain r,c. Operators grant
    write-once (cr) to the doc controller via an explicit .zddc at the
    Issued/Received folder. Admins exempt — only escape hatch.

Browser polyfill (shared/zddc-source.js)
  - HttpDirectoryHandle + HttpFileHandle implement the FS Access API
    surface (values, getFileHandle, createWritable, removeEntry,
    queryPermission/requestPermission) over zddc-server's listing JSON
    and file API. Existing tools written against showDirectoryPicker
    work unchanged.
  - detectServerRoot() returns { handle, status }: tools auto-load on
    HTTP, surface a clear "no permission to list" message on 403, and
    fall back to the welcome screen on 0.
  - classifier renames take the atomic POST move path on HTTP-backed
    handles; mdedit and transmittal route reads/writes through the
    polyfill so prior FS-API code paths cover both modes.

Tests
  - zddc/internal/zddc/{cascade_mode,roles,special,acl}_test.go cover
    delegated vs strict, role membership / shadowing / legacy fallback,
    WORM split semantics, verb-set parser round-trip.
  - zddc/internal/handler/fileapi_test.go now also covers role-based
    vendor scenarios, WORM blocking vendor & doc controller writes,
    explicit Issued .zddc unlocking the cr drop-box, admin bypass,
    auto-ownership on mkdir, and strict-mode lockouts.

Docs
  - ARCHITECTURE.md + zddc/README.md document the verb model, role
    syntax, special-folder behaviors, cascade-mode flag, and full file
    API surface. Federal-readiness gap analysis strikes AC-3(7) and
    AC-6.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 15:58:04 -05:00

182 lines
4.4 KiB
Bash
Executable file
Raw Blame History

#!/bin/sh
set -eu
root_dir=$(cd "$(dirname "$0")" && pwd)
. "$root_dir/../shared/build-lib.sh"
src_html="$root_dir/template.html"
output_dir="$root_dir/dist"
output_html="$output_dir/transmittal.html"
mkdir -p "$output_dir"
ensure_exists "$src_html"
readme_file="$root_dir/README.md"
ensure_exists "$readme_file"
css_temp=$(mktemp)
js_raw=$(mktemp)
js_temp=$(mktemp)
md_temp=$(mktemp)
cleanup() { rm -f "$css_temp" "$js_raw" "$js_temp" "$md_temp"; }
trap cleanup EXIT
# CSS files to concatenate in order
concat_files \
"../shared/base.css" \
"css/base.css" \
"css/layout.css" \
"css/forms.css" \
"css/table.css" \
"css/remarks.css" \
"css/markdown.css" \
"css/markdown-editor.css" \
"css/filter.css" \
"css/modal.css" \
"css/utilities.css" \
"css/print.css" \
> "$css_temp"
# JavaScript files to concatenate in order. Vendored libraries first
# (jszip, docx-preview) so window.JSZip + window.docx are defined before
# any tool code runs — replaces the previous CDN loadLibrary() calls
# scattered through files-preview.js. xlsx stays CDN-loaded on demand.
concat_files \
"../shared/vendor/jszip.min.js" \
"../shared/vendor/docx-preview.min.js" \
"../shared/zddc.js" \
"../shared/hash.js" \
"../shared/zddc-source.js" \
"../shared/theme.js" \
"../shared/preview-lib.js" \
"js/app.js" \
"js/reactive.js" \
"js/dom.js" \
"js/util.js" \
"js/json.js" \
"js/hydrate.js" \
"js/state.js" \
"js/mode.js" \
"js/visibility.js" \
"js/live-digest.js" \
"js/files.js" \
"js/files-archive.js" \
"js/files-render.js" \
"js/files-preview.js" \
"../shared/zddc-filter.js" \
"js/filters.js" \
"js/markdown.js" \
"js/markdown-editor.js" \
"js/email-tags.js" \
"js/validation.js" \
"js/security.js" \
"js/verification.js" \
"js/data.js" \
"js/publish.js" \
"js/reset.js" \
"js/publish-modal.js" \
"js/logos.js" \
"js/drop-zones.js" \
"js/focus.js" \
"../shared/help.js" \
"js/main.js" \
> "$js_raw"
# Escape '</' in JS and the inlined README so neither can prematurely close
# the inline <script> blocks they get embedded in.
escape_js_close_tags "$js_raw" "$js_temp"
escape_js_close_tags "$readme_file" "$md_temp"
compute_build_label "transmittal" "${1:-}" "${2:-}"
awk -v css_file="$css_temp" -v js_file="$js_temp" -v md_file="$md_temp" -v build_label="$build_label" -v is_red="$is_red" -v favicon_uri="$favicon_data_uri" '
BEGIN {
css_inserted = 0
js_inserted = 0
help_inserted = 0
in_help = 0
}
/<link rel="stylesheet" href="css\// { next }
/<link rel="stylesheet" href="tailwind-lite\.css"/ { next }
/<script src="js\// { next }
/<script src="\.\.\// { next }
/<script id="help-markdown" type="application\/markdown">/ {
in_help = 1
next
}
in_help {
if ($0 ~ /<\/script>/) {
in_help = 0
}
next
}
/<head>/ {
print
if (!css_inserted) {
print "<style>"
while ((getline line < css_file) > 0) print line
close(css_file)
print "</style>"
css_inserted = 1
}
next
}
/<\/body>/ {
if (!js_inserted) {
print "<script>"
while ((getline line < js_file) > 0) print line
close(js_file)
print "</script>"
js_inserted = 1
}
if (!help_inserted) {
print "<script id=\"help-markdown\" type=\"application/markdown\">"
while ((getline line < md_file) > 0) print line
close(md_file)
print "</script>"
help_inserted = 1
}
print
next
}
/\{\{BUILD_LABEL\}\}/ {
if (is_red == "1") {
gsub(/\{\{BUILD_LABEL\}\}/, "<span style=\"color:red;font-weight:bold\">" build_label "</span>")
} else {
gsub(/\{\{BUILD_LABEL\}\}/, build_label)
}
print
next
}
/\{\{FAVICON\}\}/ {
gsub(/\{\{FAVICON\}\}/, favicon_uri)
print
next
}
{ print }
END {
if (!css_inserted) {
print "<style>"
while ((getline line < css_file) > 0) print line
close(css_file)
print "</style>"
}
if (!js_inserted) {
print "<script>"
while ((getline line < js_file) > 0) print line
close(js_file)
print "</script>"
}
if (!help_inserted) {
print "<script id=\"help-markdown\" type=\"application/markdown\">"
while ((getline line < md_file) > 0) print line
close(md_file)
print "</script>"
}
}
' "$src_html" > "$output_html"
echo "Wrote $output_html"
if [ "$is_release" = "1" ]; then
promote_release "transmittal"
fi
Reference in a new issue View git blame Copy permalink