kyle/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
39d9ffb79a08eb4f7d08487b2264348ddf69a8be
mcias/clients
History
Kyle Isom 39d9ffb79a Add service-context login policy enforcement 
Services send service_name and tags in POST /v1/auth/login.
MCIAS evaluates auth:login policy with these as the resource
context after credentials are verified, enabling rules like:
  deny guest/viewer human accounts from env:restricted services
  deny guest accounts from specific named services

- loginRequest: add ServiceName and Tags fields
- handleLogin: evaluate policy after credential+TOTP check;
  policy deny returns 403 (not 401) to distinguish access
  restriction from bad credentials
- Go client: Options.ServiceName/Tags stored on Client,
  sent automatically in every Login() call
- Python client: service_name/tags on __init__, sent in login()
- Rust client: ClientOptions.service_name/tags, LoginRequest
  fields, Client stores and sends them in login()
- openapi.yaml: document service_name/tags request fields
  and 403 response for policy-denied logins
- engineering-standards.md: document service_name/tags in
  [mcias] config section with policy examples

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 21:11:35 -07:00
..
go
Add service-context login policy enforcement
2026-03-16 21:11:35 -07:00
lisp
Implement Phase 9: client libraries (Go, Rust, Lisp, Python)
2026-03-11 16:38:32 -07:00
python
Add service-context login policy enforcement
2026-03-16 21:11:35 -07:00
rust
Add service-context login policy enforcement
2026-03-16 21:11:35 -07:00
testdata
Implement Phase 9: client libraries (Go, Rust, Lisp, Python)
2026-03-11 16:38:32 -07:00
README.md
Implement Phase 9: client libraries (Go, Rust, Lisp, Python)
2026-03-11 16:38:32 -07:00

README.md

This directory contains client libraries for the MCIAS REST API. All language implementations expose this API:

Client(server_url, [ca_cert_path], [token])
login(username, password, [totp_code]) → (token, expires_at)
logout() → void
renew_token() → (token, expires_at)
validate_token(token) → {valid, sub, roles, expires_at}
get_public_key() → {kty, crv, x}
health() → void  # raises/errors on 5xx
create_account(username, account_type, [password]) → account
list_accounts() → [account]
get_account(id) → account
update_account(id, [status]) → account
delete_account(id) → void
get_roles(account_id) → [role]
set_roles(account_id, roles) → void
issue_service_token(account_id) → (token, expires_at)
revoke_token(jti) → void
get_pg_creds(account_id) → pg_creds
set_pg_creds(account_id, host, port, database, username, password) → void
Name HTTP Status Meaning
MciasAuthError 401 Token missing, invalid, or expired
MciasForbiddenError 403 Insufficient role
MciasNotFoundError 404 Resource does not exist
MciasInputError 400 Malformed request
MciasConflictError 409 Conflict (e.g. duplicate username)
MciasServerError 5xx Unexpected server error
testdata/ contains canonical JSON response fixtures shared across language tests.
  • go/ — Go module git.wntrmute.dev/kyle/mcias/clients/go
  • rust/ — Rust crate mcias-client
  • lisp/ — ASDF system mcias-client
  • python/ — Python package mcias_client
Reference in New Issue View Git Blame Copy Permalink