tony/CHORUS
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

Align SLURP access control with config authority levels

Browse Source
This commit is contained in:
anthonyrawlins
2025-09-27 15:33:23 +10:00
parent 0b670a535d
commit a99469f346
3 changed files with 157 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
pkg/config/config.go
View File

@@ -274,14 +274,13 @@ func (c *Config) ApplyRoleDefinition(role string) error {
}
// GetRoleAuthority returns the authority level for a role (from CHORUS)
func (c *Config) GetRoleAuthority(role string) (string, error) {
// This would contain the authority mapping from CHORUS
switch role {
case "admin":
return "master", nil
default:
return "member", nil
func (c *Config) GetRoleAuthority(role string) (AuthorityLevel, error) {
roles := GetPredefinedRoles()
if def, ok := roles[role]; ok {
return def.AuthorityLevel, nil
}
return AuthorityReadOnly, fmt.Errorf("unknown role: %s", role)
}
// Helper functions for environment variable parsing

48
pkg/config/security.go
View File

@@ -2,12 +2,18 @@ package config
import "time"
// Authority levels for roles
// AuthorityLevel represents the privilege tier associated with a role.
type AuthorityLevel string
// Authority levels for roles (aligned with CHORUS hierarchy).
const (
AuthorityReadOnly = "readonly"
AuthoritySuggestion = "suggestion"
AuthorityFull = "full"
AuthorityAdmin = "admin"
AuthorityMaster AuthorityLevel = "master"
AuthorityAdmin AuthorityLevel = "admin"
AuthorityDecision AuthorityLevel = "decision"
AuthorityCoordination AuthorityLevel = "coordination"
AuthorityFull AuthorityLevel = "full"
AuthoritySuggestion AuthorityLevel = "suggestion"
AuthorityReadOnly AuthorityLevel = "readonly"
)
// SecurityConfig defines security-related configuration
@@ -43,14 +49,14 @@ type AgeKeyPair struct {
// RoleDefinition represents a role configuration
type RoleDefinition struct {
Name string `yaml:"name"`
Description string `yaml:"description"`
Capabilities []string `yaml:"capabilities"`
AccessLevel string `yaml:"access_level"`
AuthorityLevel string `yaml:"authority_level"`
Keys *AgeKeyPair `yaml:"keys,omitempty"`
AgeKeys *AgeKeyPair `yaml:"age_keys,omitempty"` // Legacy field name
CanDecrypt []string `yaml:"can_decrypt,omitempty"` // Roles this role can decrypt
Name string `yaml:"name"`
Description string `yaml:"description"`
Capabilities []string `yaml:"capabilities"`
AccessLevel string `yaml:"access_level"`
AuthorityLevel AuthorityLevel `yaml:"authority_level"`
Keys *AgeKeyPair `yaml:"keys,omitempty"`
AgeKeys *AgeKeyPair `yaml:"age_keys,omitempty"` // Legacy field name
CanDecrypt []string `yaml:"can_decrypt,omitempty"` // Roles this role can decrypt
}
// GetPredefinedRoles returns the predefined roles for the system
@@ -61,7 +67,7 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
Description: "Project coordination and management",
Capabilities: []string{"coordination", "planning", "oversight"},
AccessLevel: "high",
AuthorityLevel: AuthorityAdmin,
AuthorityLevel: AuthorityMaster,
CanDecrypt: []string{"project_manager", "backend_developer", "frontend_developer", "devops_engineer", "security_engineer"},
},
"backend_developer": {
@@ -69,7 +75,7 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
Description: "Backend development and API work",
Capabilities: []string{"backend", "api", "database"},
AccessLevel: "medium",
AuthorityLevel: AuthorityFull,
AuthorityLevel: AuthorityDecision,
CanDecrypt: []string{"backend_developer"},
},
"frontend_developer": {
@@ -77,7 +83,7 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
Description: "Frontend UI development",
Capabilities: []string{"frontend", "ui", "components"},
AccessLevel: "medium",
AuthorityLevel: AuthorityFull,
AuthorityLevel: AuthorityCoordination,
CanDecrypt: []string{"frontend_developer"},
},
"devops_engineer": {
@@ -85,7 +91,7 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
Description: "Infrastructure and deployment",
Capabilities: []string{"infrastructure", "deployment", "monitoring"},
AccessLevel: "high",
AuthorityLevel: AuthorityFull,
AuthorityLevel: AuthorityDecision,
CanDecrypt: []string{"devops_engineer", "backend_developer"},
},
"security_engineer": {
@@ -93,7 +99,7 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
Description: "Security oversight and hardening",
Capabilities: []string{"security", "audit", "compliance"},
AccessLevel: "high",
AuthorityLevel: AuthorityAdmin,
AuthorityLevel: AuthorityMaster,
CanDecrypt: []string{"security_engineer", "project_manager", "backend_developer", "frontend_developer", "devops_engineer"},
},
"security_expert": {
@@ -101,7 +107,7 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
Description: "Advanced security analysis and policy work",
Capabilities: []string{"security", "policy", "response"},
AccessLevel: "high",
AuthorityLevel: AuthorityAdmin,
AuthorityLevel: AuthorityMaster,
CanDecrypt: []string{"security_expert", "security_engineer", "project_manager"},
},
"senior_software_architect": {
@@ -109,7 +115,7 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
Description: "Architecture governance and system design",
Capabilities: []string{"architecture", "design", "coordination"},
AccessLevel: "high",
AuthorityLevel: AuthorityAdmin,
AuthorityLevel: AuthorityDecision,
CanDecrypt: []string{"senior_software_architect", "project_manager", "backend_developer", "frontend_developer"},
},
"qa_engineer": {
@@ -117,7 +123,7 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
Description: "Quality assurance and testing",
Capabilities: []string{"testing", "validation"},
AccessLevel: "medium",
AuthorityLevel: AuthorityFull,
AuthorityLevel: AuthorityCoordination,
CanDecrypt: []string{"qa_engineer", "backend_developer", "frontend_developer"},
},
"readonly_user": {