Align SLURP access control with config authority levels

2025-09-27 15:33:23 +10:00
parent 0b670a535d
commit a99469f346
3 changed files with 157 additions and 148 deletions
--- a/pkg/config/security.go
+++ b/pkg/config/security.go
@@ -2,12 +2,18 @@ package config

 import "time"

-// Authority levels for roles
+// AuthorityLevel represents the privilege tier associated with a role.
+type AuthorityLevel string
+
+// Authority levels for roles (aligned with CHORUS hierarchy).
 const (
-	AuthorityReadOnly   = "readonly"
-	AuthoritySuggestion = "suggestion"
-	AuthorityFull       = "full"
-	AuthorityAdmin      = "admin"
+	AuthorityMaster       AuthorityLevel = "master"
+	AuthorityAdmin        AuthorityLevel = "admin"
+	AuthorityDecision     AuthorityLevel = "decision"
+	AuthorityCoordination AuthorityLevel = "coordination"
+	AuthorityFull         AuthorityLevel = "full"
+	AuthoritySuggestion   AuthorityLevel = "suggestion"
+	AuthorityReadOnly     AuthorityLevel = "readonly"
 )

 // SecurityConfig defines security-related configuration
@@ -43,14 +49,14 @@ type AgeKeyPair struct {

 // RoleDefinition represents a role configuration
 type RoleDefinition struct {
-	Name           string      `yaml:"name"`
-	Description    string      `yaml:"description"`
-	Capabilities   []string    `yaml:"capabilities"`
-	AccessLevel    string      `yaml:"access_level"`
-	AuthorityLevel string      `yaml:"authority_level"`
-	Keys           *AgeKeyPair `yaml:"keys,omitempty"`
-	AgeKeys        *AgeKeyPair `yaml:"age_keys,omitempty"`    // Legacy field name
-	CanDecrypt     []string    `yaml:"can_decrypt,omitempty"` // Roles this role can decrypt
+	Name           string         `yaml:"name"`
+	Description    string         `yaml:"description"`
+	Capabilities   []string       `yaml:"capabilities"`
+	AccessLevel    string         `yaml:"access_level"`
+	AuthorityLevel AuthorityLevel `yaml:"authority_level"`
+	Keys           *AgeKeyPair    `yaml:"keys,omitempty"`
+	AgeKeys        *AgeKeyPair    `yaml:"age_keys,omitempty"`    // Legacy field name
+	CanDecrypt     []string       `yaml:"can_decrypt,omitempty"` // Roles this role can decrypt
 }

 // GetPredefinedRoles returns the predefined roles for the system
@@ -61,7 +67,7 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
 			Description:    "Project coordination and management",
 			Capabilities:   []string{"coordination", "planning", "oversight"},
 			AccessLevel:    "high",
-			AuthorityLevel: AuthorityAdmin,
+			AuthorityLevel: AuthorityMaster,
 			CanDecrypt:     []string{"project_manager", "backend_developer", "frontend_developer", "devops_engineer", "security_engineer"},
 		},
 		"backend_developer": {
@@ -69,7 +75,7 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
 			Description:    "Backend development and API work",
 			Capabilities:   []string{"backend", "api", "database"},
 			AccessLevel:    "medium",
-			AuthorityLevel: AuthorityFull,
+			AuthorityLevel: AuthorityDecision,
 			CanDecrypt:     []string{"backend_developer"},
 		},
 		"frontend_developer": {
@@ -77,7 +83,7 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
 			Description:    "Frontend UI development",
 			Capabilities:   []string{"frontend", "ui", "components"},
 			AccessLevel:    "medium",
-			AuthorityLevel: AuthorityFull,
+			AuthorityLevel: AuthorityCoordination,
 			CanDecrypt:     []string{"frontend_developer"},
 		},
 		"devops_engineer": {
@@ -85,7 +91,7 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
 			Description:    "Infrastructure and deployment",
 			Capabilities:   []string{"infrastructure", "deployment", "monitoring"},
 			AccessLevel:    "high",
-			AuthorityLevel: AuthorityFull,
+			AuthorityLevel: AuthorityDecision,
 			CanDecrypt:     []string{"devops_engineer", "backend_developer"},
 		},
 		"security_engineer": {
@@ -93,7 +99,7 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
 			Description:    "Security oversight and hardening",
 			Capabilities:   []string{"security", "audit", "compliance"},
 			AccessLevel:    "high",
-			AuthorityLevel: AuthorityAdmin,
+			AuthorityLevel: AuthorityMaster,
 			CanDecrypt:     []string{"security_engineer", "project_manager", "backend_developer", "frontend_developer", "devops_engineer"},
 		},
 		"security_expert": {
@@ -101,7 +107,7 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
 			Description:    "Advanced security analysis and policy work",
 			Capabilities:   []string{"security", "policy", "response"},
 			AccessLevel:    "high",
-			AuthorityLevel: AuthorityAdmin,
+			AuthorityLevel: AuthorityMaster,
 			CanDecrypt:     []string{"security_expert", "security_engineer", "project_manager"},
 		},
 		"senior_software_architect": {
@@ -109,7 +115,7 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
 			Description:    "Architecture governance and system design",
 			Capabilities:   []string{"architecture", "design", "coordination"},
 			AccessLevel:    "high",
-			AuthorityLevel: AuthorityAdmin,
+			AuthorityLevel: AuthorityDecision,
 			CanDecrypt:     []string{"senior_software_architect", "project_manager", "backend_developer", "frontend_developer"},
 		},
 		"qa_engineer": {
@@ -117,7 +123,7 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
 			Description:    "Quality assurance and testing",
 			Capabilities:   []string{"testing", "validation"},
 			AccessLevel:    "medium",
-			AuthorityLevel: AuthorityFull,
+			AuthorityLevel: AuthorityCoordination,
 			CanDecrypt:     []string{"qa_engineer", "backend_developer", "frontend_developer"},
 		},
 		"readonly_user": {