Skip to content

feat(auth,framework,react): implement extensible RBAC contract and gu…#3

Open
gs-layer wants to merge 1 commit intofeat/auth-providerfrom
feat/rbac
Open

feat(auth,framework,react): implement extensible RBAC contract and gu…#3
gs-layer wants to merge 1 commit intofeat/auth-providerfrom
feat/rbac

Conversation

@gs-layer
Copy link
Copy Markdown
Owner

@gs-layer gs-layer commented Apr 16, 2026

Summary

Implemented a minimal, sufficient, and extensible RBAC contract in FrontX across auth, framework, and react, with fail-closed behavior and a React guard API.

What Changed

@hai3/auth

  • Extended the authorization contract:
    • kept binary canAccess (allow | deny) as the primary path.
    • made AccessEvaluation provider-agnostic and extensible (without hard-coupling to a specific PDP format).
  • Preserved backward compatibility of required AuthProvider methods.

@hai3/framework

  • Hardened the auth plugin runtime:
    • evaluateAccess / evaluateMany normalization remains fail-closed for truly malformed payloads.
    • removed overly strict validation that limited extensibility of provider payloads.
  • Removed buildCapabilities from the public framework surface (kept as internal helper).
  • Updated contract and fail-closed test scenarios.

@hai3/react

  • Added guard API:
    • useCanAccess
    • CanAccess
  • Guard logic defaults to pessimistic/fail-closed behavior (deny until explicit allow).
  • useCanAccess was decoupled from shadow runtime-shape and now uses the explicit framework contract.
  • RBAC tests were consolidated (canonical suite + provider mock suite without duplication).

Behavior / Contract Notes

  • Contract remains additive-first and ready to evolve for other PDP/IdP providers.
  • Malformed/error provider responses are never treated as allow in UI paths.
  • No vendor-specific coupling was introduced into runtime/public APIs.

Validation

The following checks were executed and passed:

  • npm run type-check:packages:sdk
  • npm run type-check:packages:framework
  • npm run type-check:packages:react
  • npm run test --workspace=@cyberfabric/framework
  • npm run test --workspace=@cyberfabric/react
  • npm run build:packages:sdk
  • npm run build:packages:framework
  • npm run build:packages:react
  • npm run arch:check
  • npm run lint:framework
  • npm run lint:react

Scope Hygiene

This PR includes only changes in packages/auth, packages/framework, packages/react, and related tests.
architecture/** and tmp/** are intentionally excluded.

Follow-ups (Non-blocking)

  • Add e2e/adapter-level checks with real provider adapters on top of the current mock/contract test coverage.

Closes cyberfabric#274

@gs-layer
feat(auth,framework,react): implement extensible RBAC contract and gu…
5856e0d 
…ard API

- add provider-agnostic AccessEvaluation shape with extensible reason/constraints/meta
- keep fail-closed runtime behavior while validating evaluation payload shape
- remove buildCapabilities from framework public exports
- add React RBAC guard API (useCanAccess, CanAccess) with pessimistic defaults
- add/refresh Keycloak/Auth0 mock contract tests and RBAC guard tests
- deduplicate overlapping RBAC test coverage

Signed-off-by: G S <grigoriis.dev@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gs-layer