Skip to content

refactor(apl)!: rename authz/authn config keys #111

Open
araujof wants to merge 3 commits into
devfrom
refactor/apl_syntax
Open

refactor(apl)!: rename authz/authn config keys #111
araujof wants to merge 3 commits into
devfrom
refactor/apl_syntax

Conversation

@araujof

@araujof araujof commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Renames the CPEX/APL authorization/authentication config keys for clarity. Breaking change (pre-1.0): old key names no longer parse.

Old New
identity: authentication: (global, route, policy-group)
policy: authorization.pre_invocation: (or flat pre_invocation:)
post_policy: authorization.post_invocation: (or flat post_invocation:)

The two authorization phases parse equivalently whether nested under an authorization: block or written flat on the section.

Closes #105.

Deliberately not renamed

The field-pipeline keys args: / result: stay as-is. They're aligned with the args.* / result.* attribute namespaces that predicates and interpolation read (require(args.include_ssn), ${args.repo_name}, args.ssn | redact) — renaming only the config block would have introduced a new inconsistency. (The issue originally proposed inputs/outputs; we tried it and rolled it back for exactly this reason.)

Internal APL IR (CompiledRoute, Phase) and the runtime attribute namespaces are unchanged.

Fail-closed by design

Legacy policy: / post_policy: / identity: keys are rejected loudly at parse/load time (in both the apl-core parser and cpex-core config loader) rather than silently ignored — a dropped authorization or authentication block would otherwise fail open.

Example

routes:
  - tool: get_employee
    authentication: [jwt-user, jwt-client]
    args:
      employee_id: "str"
    authorization:
      pre_invocation:
        - "require(authenticated)"
        - "delegation.depth > 2: deny"
      post_invocation:
        - "run(audit-log)"
    result:
      ssn: "str | redact(!perm.view_ssn)"

Also

  • APL acronym spelled consistently as "Authorization Policy Language" (dropped the legacy "Attribute Policy Language").
  • Docs, README, and CHANGELOG updated with the new surface and a BREAKING migration entry.

Testing

  • cargo fmt --check, cargo clippy --workspace --all-targets, and full cargo test --workspace (all 55 suites) pass.
  • Added coverage for nested-vs-flat equivalence and legacy-key rejection.
  • Praxis regression: built praxis against this checkout (path dep) — compiles with no API/ABI break and its cpex policy integration test passes (401/200). The praxis-demos/demos/cpex configs were migrated to the new surface (separate PR in that repo) and verified to load through install_builtins + load_config_yaml.

araujof added 3 commits June 30, 2026 22:45
Rename the CPEX/APL config keys for clarity (breaking change):

  identity    -> authentication  (global, route, and policy-group scope)
  policy      -> authorization.pre_invocation  (or flat pre_invocation)
  post_policy -> authorization.post_invocation (or flat post_invocation)

The two authorization phases parse equivalently whether written nested
under an `authorization:` block or flat on the section.

The field-pipeline keys `args:` / `result:` are intentionally left
unchanged: they stay aligned with the `args.*` / `result.*` attribute
namespaces that predicates and interpolation read, so renaming only the
config block would have introduced a new inconsistency.

Legacy `policy:` / `post_policy:` / `identity:` keys are rejected loudly
at parse/load time rather than silently ignored, so a dropped
authorization or authentication block can never fail open. Internal APL
IR (`CompiledRoute`, `Phase`) is unchanged.

Refs #105

Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
Update every config example and field reference to the renamed keys
(authentication, authorization.pre_invocation / post_invocation), show
both the nested and flat authorization forms, and add a BREAKING
migration entry to the changelog. The `args:` / `result:` field-pipeline
keys and the `args.*` / `result.*` attribute vocabulary are unchanged.

Refs #105

Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
Replace the legacy "Attribute Policy Language" expansion with
"Authorization Policy Language" across code doc-comments, the crate
description, and docs, matching the README and 0.1.x overview.

Refs #105

Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
@araujof araujof requested review from jonpspri and terylt as code owners July 1, 2026 02:54
@araujof araujof added this to CPEX Jul 1, 2026
@github-project-automation github-project-automation Bot moved this to Backlog in CPEX Jul 1, 2026
@araujof araujof added this to the 0.2.1 milestone Jul 1, 2026
@araujof araujof added enhancement New feature or request framework Rust labels Jul 1, 2026
@araujof araujof changed the title refactor(apl)!: rename authz/authn config keys (identity→authentication, policy→authorization.pre/post_invocation) refactor(apl)!: rename authz/authn config keys Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request framework Rust

Projects

Status: Backlog

Development

Successfully merging this pull request may close these issues.

2 participants