jesus/Vapora
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Vapora/docs/architecture/roles-permissions-profiles.html

640 lines
26 KiB
HTML
Raw Normal View History

chore: extend doc: adr, tutorials, operations, etc
2026-01-12 03:32:47 +00:00
<!DOCTYPE HTML>
<html lang="en" class="light sidebar-visible" dir="ltr">
<head>
<!-- Book generated using mdBook -->
<meta charset="UTF-8">
<title>Roles, Permissions &amp; Profiles - VAPORA Platform Documentation</title>
<!-- Custom HTML head -->
<meta name="description" content="Comprehensive documentation for VAPORA, an intelligent development orchestration platform built entirely in Rust.">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="theme-color" content="#ffffff">
<link rel="icon" href="../favicon.svg">
<link rel="shortcut icon" href="../favicon.png">
<link rel="stylesheet" href="../css/variables.css">
<link rel="stylesheet" href="../css/general.css">
<link rel="stylesheet" href="../css/chrome.css">
<link rel="stylesheet" href="../css/print.css" media="print">
<!-- Fonts -->
<link rel="stylesheet" href="../FontAwesome/css/font-awesome.css">
<link rel="stylesheet" href="../fonts/fonts.css">
<!-- Highlight.js Stylesheets -->
<link rel="stylesheet" id="highlight-css" href="../highlight.css">
<link rel="stylesheet" id="tomorrow-night-css" href="../tomorrow-night.css">
<link rel="stylesheet" id="ayu-highlight-css" href="../ayu-highlight.css">
<!-- Custom theme stylesheets -->
<!-- Provide site root and default themes to javascript -->
<script>
const path_to_root = "../";
const default_light_theme = "light";
const default_dark_theme = "dark";
</script>
<!-- Start loading toc.js asap -->
<script src="../toc.js"></script>
</head>
<body>
<div id="mdbook-help-container">
<div id="mdbook-help-popup">
<h2 class="mdbook-help-title">Keyboard shortcuts</h2>
<div>
<p>Press <kbd></kbd> or <kbd></kbd> to navigate between chapters</p>
<p>Press <kbd>S</kbd> or <kbd>/</kbd> to search in the book</p>
<p>Press <kbd>?</kbd> to show this help</p>
<p>Press <kbd>Esc</kbd> to hide this help</p>
</div>
</div>
</div>
<div id="body-container">
<!-- Work around some values being stored in localStorage wrapped in quotes -->
<script>
try {
let theme = localStorage.getItem('mdbook-theme');
let sidebar = localStorage.getItem('mdbook-sidebar');
if (theme.startsWith('"') && theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}
if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
</script>
<!-- Set the theme before any content is loaded, prevents flash -->
<script>
const default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? default_dark_theme : default_light_theme;
let theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
const html = document.documentElement;
html.classList.remove('light')
html.classList.add(theme);
html.classList.add("js");
</script>
<input type="checkbox" id="sidebar-toggle-anchor" class="hidden">
<!-- Hide / unhide sidebar before it is displayed -->
<script>
let sidebar = null;
const sidebar_toggle = document.getElementById("sidebar-toggle-anchor");
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
} else {
sidebar = 'hidden';
}
sidebar_toggle.checked = sidebar === 'visible';
html.classList.remove('sidebar-visible');
html.classList.add("sidebar-" + sidebar);
</script>
<nav id="sidebar" class="sidebar" aria-label="Table of contents">
<!-- populated by js -->
<mdbook-sidebar-scrollbox class="sidebar-scrollbox"></mdbook-sidebar-scrollbox>
<noscript>
<iframe class="sidebar-iframe-outer" src="../toc.html"></iframe>
</noscript>
<div id="sidebar-resize-handle" class="sidebar-resize-handle">
<div class="sidebar-resize-indicator"></div>
</div>
</nav>
<div id="page-wrapper" class="page-wrapper">
<div class="page">
<div id="menu-bar-hover-placeholder"></div>
<div id="menu-bar" class="menu-bar sticky">
<div class="left-buttons">
<label id="sidebar-toggle" class="icon-button" for="sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
<i class="fa fa-bars"></i>
</label>
<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
<i class="fa fa-paint-brush"></i>
</button>
<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
<li role="none"><button role="menuitem" class="theme" id="default_theme">Auto</button></li>
<li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
<li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
<li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
<li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
<li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
</ul>
<button id="search-toggle" class="icon-button" type="button" title="Search (`/`)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="/ s" aria-controls="searchbar">
<i class="fa fa-search"></i>
</button>
</div>
<h1 class="menu-title">VAPORA Platform Documentation</h1>
<div class="right-buttons">
<a href="../print.html" title="Print this book" aria-label="Print this book">
<i id="print-button" class="fa fa-print"></i>
</a>
<a href="https://github.com/vapora-platform/vapora" title="Git repository" aria-label="Git repository">
<i id="git-repository-button" class="fa fa-github"></i>
</a>
<a href="https://github.com/vapora-platform/vapora/edit/main/docs/src/../architecture/roles-permissions-profiles.md" title="Suggest an edit" aria-label="Suggest an edit">
<i id="git-edit-button" class="fa fa-edit"></i>
</a>
</div>
</div>
<div id="search-wrapper" class="hidden">
<form id="searchbar-outer" class="searchbar-outer">
<input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
</form>
<div id="searchresults-outer" class="searchresults-outer hidden">
<div id="searchresults-header" class="searchresults-header"></div>
<ul id="searchresults">
</ul>
</div>
</div>
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
<script>
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
</script>
<div id="content" class="content">
<main>
<h1 id="-roles-permissions--profiles"><a class="header" href="#-roles-permissions--profiles">👥 Roles, Permissions &amp; Profiles</a></h1>
<h2 id="cedar-based-access-control-for-multi-agent-teams"><a class="header" href="#cedar-based-access-control-for-multi-agent-teams">Cedar-Based Access Control for Multi-Agent Teams</a></h2>
<p><strong>Version</strong>: 0.1.0
<strong>Status</strong>: Specification (VAPORA v1.0 - Authorization)
<strong>Purpose</strong>: Fine-grained RBAC + team profiles for agents and humans</p>
<hr />
<h2 id="-objetivo"><a class="header" href="#-objetivo">🎯 Objetivo</a></h2>
<p>Sistema de autorización multinivel basado en <strong>Cedar Policy Engine</strong> (de provisioning):</p>
<ul>
<li>✅ 12 roles especializados (agentes + humanos)</li>
<li>✅ Perfiles agrupando roles (equipos)</li>
<li>✅ Políticas granulares (resource-level, context-aware)</li>
<li>✅ Audit trail completo</li>
<li>✅ Dynamic policy reload (sin restart)</li>
</ul>
<hr />
<h2 id="-los-12-roles--adminguest"><a class="header" href="#-los-12-roles--adminguest">👥 Los 12 Roles (+ Admin/Guest)</a></h2>
<h3 id="technical-roles"><a class="header" href="#technical-roles">Technical Roles</a></h3>
<p><strong>Architect</strong></p>
<ul>
<li>Permisos: Create ADRs, propose decisions, review architecture</li>
<li>Restricciones: Can't deploy, can't approve own decisions</li>
<li>Resources: Design documents, ADR files, architecture diagrams</li>
</ul>
<p><strong>Developer</strong></p>
<ul>
<li>Permisos: Create code, push to dev branches, request reviews</li>
<li>Restricciones: Can't merge to main, can't delete</li>
<li>Resources: Code files, dev branches, PR creation</li>
</ul>
<p><strong>CodeReviewer</strong></p>
<ul>
<li>Permisos: Comment on PRs, approve/request changes, merge to dev</li>
<li>Restricciones: Can't approve own code, can't force push</li>
<li>Resources: PRs, review comments, dev branches</li>
</ul>
<p><strong>Tester</strong></p>
<ul>
<li>Permisos: Create/modify tests, run benchmarks, report issues</li>
<li>Restricciones: Can't deploy, can't modify code outside tests</li>
<li>Resources: Test files, benchmark results, issue reports</li>
</ul>
<h3 id="documentation-roles"><a class="header" href="#documentation-roles">Documentation Roles</a></h3>
<p><strong>Documenter</strong></p>
<ul>
<li>Permisos: Modify docs/, README, CHANGELOG, update docs/adr/</li>
<li>Restricciones: Can't modify source code</li>
<li>Resources: docs/ directory, markdown files</li>
</ul>
<p><strong>Marketer</strong></p>
<ul>
<li>Permisos: Create marketing content, modify website</li>
<li>Restricciones: Can't modify code, docs, or infrastructure</li>
<li>Resources: marketing/, website, blog posts</li>
</ul>
<p><strong>Presenter</strong></p>
<ul>
<li>Permisos: Create presentations, record demos</li>
<li>Restricciones: Read-only on all code</li>
<li>Resources: presentations/, demo assets</li>
</ul>
<h3 id="operations-roles"><a class="header" href="#operations-roles">Operations Roles</a></h3>
<p><strong>DevOps</strong></p>
<ul>
<li>Permisos: Approve PRs for deployment, trigger CI/CD, modify manifests</li>
<li>Restricciones: Can't modify business logic, can't delete environments</li>
<li>Resources: Kubernetes manifests, CI/CD configs, deployment status</li>
</ul>
<p><strong>Monitor</strong></p>
<ul>
<li>Permisos: View all metrics, create alerts, read logs</li>
<li>Restricciones: Can't modify infrastructure</li>
<li>Resources: Monitoring dashboards, alert rules, logs</li>
</ul>
<p><strong>Security</strong></p>
<ul>
<li>Permisos: Scan code, audit logs, block PRs if critical vulnerabilities</li>
<li>Restricciones: Can't approve deployments</li>
<li>Resources: Security scans, audit logs, vulnerability database</li>
</ul>
<h3 id="management-roles"><a class="header" href="#management-roles">Management Roles</a></h3>
<p><strong>ProjectManager</strong></p>
<ul>
<li>Permisos: View all tasks, update roadmap, assign work</li>
<li>Restricciones: Can't merge code, can't approve technical decisions</li>
<li>Resources: Tasks, roadmap, timelines</li>
</ul>
<p><strong>DecisionMaker</strong></p>
<ul>
<li>Permisos: Approve critical decisions, resolve conflicts</li>
<li>Restricciones: Can't implement decisions</li>
<li>Resources: Decision queue, escalations</li>
</ul>
<p><strong>Orchestrator</strong></p>
<ul>
<li>Permisos: Assign agents to tasks, coordinate workflows</li>
<li>Restricciones: Can't execute tasks directly</li>
<li>Resources: Agent registry, task queue, workflows</li>
</ul>
<h3 id="default-roles"><a class="header" href="#default-roles">Default Roles</a></h3>
<p><strong>Admin</strong></p>
<ul>
<li>Permisos: Everything</li>
<li>Restricciones: None</li>
<li>Resources: All</li>
</ul>
<p><strong>Guest</strong></p>
<ul>
<li>Permisos: Read public docs, view public status</li>
<li>Restricciones: Can't modify anything</li>
<li>Resources: Public docs, public dashboards</li>
</ul>
<hr />
<h2 id="-perfiles-team-groupings"><a class="header" href="#-perfiles-team-groupings">🏢 Perfiles (Team Groupings)</a></h2>
<h3 id="frontend-team"><a class="header" href="#frontend-team">Frontend Team</a></h3>
<pre><code class="language-toml">[profile]
name = "Frontend Team"
members = ["alice@example.com", "bob@example.com", "developer-frontend-001"]
roles = ["Developer", "CodeReviewer", "Tester"]
permissions = [
"create_pr_frontend",
"review_pr_frontend",
"test_frontend",
"commit_dev_branch",
]
resource_constraints = [
"path_prefix:frontend/",
]
</code></pre>
<h3 id="backend-team"><a class="header" href="#backend-team">Backend Team</a></h3>
<pre><code class="language-toml">[profile]
name = "Backend Team"
members = ["charlie@example.com", "developer-backend-001", "developer-backend-002"]
roles = ["Developer", "CodeReviewer", "Tester", "Security"]
permissions = [
"create_pr_backend",
"review_pr_backend",
"test_backend",
"security_scan",
]
resource_constraints = [
"path_prefix:backend/",
"exclude_path:backend/secrets/",
]
</code></pre>
<h3 id="full-stack-team"><a class="header" href="#full-stack-team">Full Stack Team</a></h3>
<pre><code class="language-toml">[profile]
name = "Full Stack Team"
members = ["alice@example.com", "architect-001", "reviewer-001"]
roles = ["Architect", "Developer", "CodeReviewer", "Tester", "Documenter"]
permissions = [
"design_features",
"implement_features",
"review_code",
"test_features",
"document_features",
]
</code></pre>
<h3 id="devops-team"><a class="header" href="#devops-team">DevOps Team</a></h3>
<pre><code class="language-toml">[profile]
name = "DevOps Team"
members = ["devops-001", "devops-002", "security-001"]
roles = ["DevOps", "Monitor", "Security"]
permissions = [
"trigger_ci_cd",
"deploy_staging",
"deploy_production",
"modify_manifests",
"monitor_health",
"security_audit",
]
</code></pre>
<h3 id="management"><a class="header" href="#management">Management</a></h3>
<pre><code class="language-toml">[profile]
name = "Management"
members = ["pm-001", "decision-maker-001", "orchestrator-001"]
roles = ["ProjectManager", "DecisionMaker", "Orchestrator"]
permissions = [
"create_tasks",
"assign_agents",
"make_decisions",
"view_metrics",
]
</code></pre>
<hr />
<h2 id="-cedar-policies-authorization-rules"><a class="header" href="#-cedar-policies-authorization-rules">🔐 Cedar Policies (Authorization Rules)</a></h2>
<h3 id="policy-structure"><a class="header" href="#policy-structure">Policy Structure</a></h3>
<pre><code class="language-cedar">// Policy: Only CodeReviewers can approve PRs
permit(
principal in Role::"CodeReviewer",
action == Action::"approve_pr",
resource
) when {
// Can't approve own PR
principal != resource.author
&amp;&amp; principal.team == resource.team
};
// Policy: Developers can only commit to dev branches
permit(
principal in Role::"Developer",
action == Action::"commit",
resource in Branch::"dev"
) when {
resource.protection_level == "standard"
};
// Policy: Security can block PRs if critical vulns found
permit(
principal in Role::"Security",
action == Action::"block_pr",
resource
) when {
resource.vulnerability_severity == "critical"
};
// Policy: DevOps can only deploy approved code
permit(
principal in Role::"DevOps",
action == Action::"deploy",
resource
) when {
resource.approved_by.has_element(principal)
&amp;&amp; resource.tests_passing == true
};
// Policy: Monitor can view all logs (read-only)
permit(
principal in Role::"Monitor",
action == Action::"view_logs",
resource
);
// Policy: Documenter can only modify docs/
permit(
principal in Role::"Documenter",
action == Action::"modify",
resource
) when {
resource.path.starts_with("docs/")
|| resource.path == "README.md"
|| resource.path == "CHANGELOG.md"
};
</code></pre>
<h3 id="dynamic-policies-hot-reload"><a class="header" href="#dynamic-policies-hot-reload">Dynamic Policies (Hot Reload)</a></h3>
<pre><code class="language-toml"># vapora.toml
[authorization]
cedar_policies_path = ".vapora/policies/"
reload_interval_secs = 30
enable_audit_logging = true
# .vapora/policies/custom-rules.cedar
// Custom rule: Only Architects from Backend Team can design backend features
permit(
principal in Team::"Backend Team",
action == Action::"design_architecture",
resource in ResourceType::"backend_feature"
) when {
principal.role == Role::"Architect"
};
</code></pre>
<hr />
<h2 id="-audit-trail"><a class="header" href="#-audit-trail">🔍 Audit Trail</a></h2>
<h3 id="audit-log-entry"><a class="header" href="#audit-log-entry">Audit Log Entry</a></h3>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>pub struct AuditLogEntry {
pub id: String,
pub timestamp: DateTime&lt;Utc&gt;,
pub principal_id: String,
pub principal_type: String, // "agent" or "human"
pub action: String,
pub resource: String,
pub result: AuditResult, // Permitted, Denied, Error
pub reason: String,
pub context: HashMap&lt;String, String&gt;,
}
pub enum AuditResult {
Permitted,
Denied { reason: String },
Error { error: String },
}
<span class="boring">}</span></code></pre></pre>
<h3 id="audit-retention-policy"><a class="header" href="#audit-retention-policy">Audit Retention Policy</a></h3>
<pre><code class="language-toml">[audit]
retention_days = 2555 # 7 years for compliance
export_formats = ["json", "csv", "syslog"]
sensitive_fields = ["api_key", "password", "token"] # Redact these
</code></pre>
<hr />
<h2 id="-implementation"><a class="header" href="#-implementation">🚀 Implementation</a></h2>
<h3 id="cedar-policy-engine-integration"><a class="header" href="#cedar-policy-engine-integration">Cedar Policy Engine Integration</a></h3>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>pub struct AuthorizationEngine {
pub cedar_schema: cedar_policy_core::Schema,
pub policies: cedar_policy_core::PolicySet,
pub audit_log: Vec&lt;AuditLogEntry&gt;,
}
impl AuthorizationEngine {
pub async fn check_permission(
&amp;mut self,
principal: Principal,
action: Action,
resource: Resource,
context: Context,
) -&gt; anyhow::Result&lt;AuthorizationResult&gt; {
let request = cedar_policy_core::Request::new(
principal,
action,
resource,
context,
);
let response = self.policies.evaluate(&amp;request);
let allowed = response.decision == Decision::Allow;
let reason = response.reason.join(", ");
let entry = AuditLogEntry {
id: uuid::Uuid::new_v4().to_string(),
timestamp: Utc::now(),
principal_id: principal.id,
principal_type: principal.principal_type.to_string(),
action: action.name,
resource: resource.id,
result: if allowed {
AuditResult::Permitted
} else {
AuditResult::Denied { reason: reason.clone() }
},
reason,
context: Default::default(),
};
self.audit_log.push(entry);
Ok(AuthorizationResult { allowed, reason })
}
pub async fn hot_reload_policies(&amp;mut self) -&gt; anyhow::Result&lt;()&gt; {
// Read .vapora/policies/ and reload
// Notify all agents of policy changes
Ok(())
}
}
<span class="boring">}</span></code></pre></pre>
<h3 id="context-aware-authorization"><a class="header" href="#context-aware-authorization">Context-Aware Authorization</a></h3>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>pub struct Context {
pub time: DateTime&lt;Utc&gt;,
pub ip_address: String,
pub environment: String, // "dev", "staging", "prod"
pub is_business_hours: bool,
pub request_priority: Priority, // Low, Normal, High, Critical
}
// Policy example: Can only deploy to prod during business hours
permit(
principal in Role::"DevOps",
action == Action::"deploy_production",
resource
) when {
context.is_business_hours == true
&amp;&amp; context.environment == "production"
};
<span class="boring">}</span></code></pre></pre>
<hr />
<h2 id="-implementation-checklist"><a class="header" href="#-implementation-checklist">🎯 Implementation Checklist</a></h2>
<ul>
<li><input disabled="" type="checkbox"/>
Define Principal (agent_id, role, team, profile)</li>
<li><input disabled="" type="checkbox"/>
Define Action (create_pr, approve, deploy, etc.)</li>
<li><input disabled="" type="checkbox"/>
Define Resource (PR, code file, branch, deployment)</li>
<li><input disabled="" type="checkbox"/>
Implement Cedar policy evaluation</li>
<li><input disabled="" type="checkbox"/>
Load policies from <code>.vapora/policies/</code></li>
<li><input disabled="" type="checkbox"/>
Implement hot reload (30s interval)</li>
<li><input disabled="" type="checkbox"/>
Audit logging for every decision</li>
<li><input disabled="" type="checkbox"/>
CLI: <code>vapora auth check --principal X --action Y --resource Z</code></li>
<li><input disabled="" type="checkbox"/>
CLI: <code>vapora auth policies list/reload</code></li>
<li><input disabled="" type="checkbox"/>
Audit log export (JSON, CSV)</li>
<li><input disabled="" type="checkbox"/>
Tests (policy enforcement)</li>
</ul>
<hr />
<h2 id="-success-metrics"><a class="header" href="#-success-metrics">📊 Success Metrics</a></h2>
<p>✅ Policy evaluation &lt; 10ms
✅ Hot reload works without restart
✅ Audit log complete and queryable
✅ Multi-team isolation working
✅ Context-aware rules enforced
✅ Deny reasons clear and actionable</p>
<hr />
<p><strong>Version</strong>: 0.1.0
<strong>Status</strong>: ✅ Specification Complete (VAPORA v1.0)
<strong>Purpose</strong>: Cedar-based authorization for multi-agent multi-team platform</p>
</main>
<nav class="nav-wrapper" aria-label="Page navigation">
<!-- Mobile navigation buttons -->
<a rel="prev" href="../../architecture/task-agent-doc-manager.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../../adrs/index.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
<div style="clear: both"></div>
</nav>
</div>
</div>
<nav class="nav-wide-wrapper" aria-label="Page navigation">
<a rel="prev" href="../../architecture/task-agent-doc-manager.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../../adrs/index.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
</nav>
</div>
<script>
window.playground_copyable = true;
</script>
<script src="../elasticlunr.min.js"></script>
<script src="../mark.min.js"></script>
<script src="../searcher.js"></script>
<script src="../clipboard.min.js"></script>
<script src="../highlight.js"></script>
<script src="../book.js"></script>
<!-- Custom JS scripts -->
</div>
</body>
</html>
Reference in New Issue Copy Permalink