MoonPolicyKit

MoonPolicyKit is a backend-neutral authorization foundation for MoonBit. It models access as relationships between principals, groups, tenants, folders, documents, and other application objects, then returns an explainable decision.

The project focuses on authorization rather than authentication. OAuth2 and OIDC answer who signed in; MoonPolicyKit answers whether that principal may perform an action on a specific resource.

Planned first release

• typed object and subject references;
• relationship tuples and reusable permission rules;
• direct roles, group membership, and parent-resource inheritance;
• explicit deny with deterministic precedence;
• recursion depth and cycle protection;
• decision traces for audits, tests, and UI explanations;
• batch checks and object filtering;
• no browser, filesystem, network, or database dependency in the core.

Status

The first usable core includes relationship tuples, direct and inherited rules, group expansion, explicit deny, cycle protection, decision traces, batch checks, resource filtering, policy validation, and JSON audit snapshots.

let engine = @policy.PolicyEngine::new()
let document = @policy.ObjectRef::new("document", "roadmap")
let alice = @policy.SubjectRef::direct("user", "alice")
ignore(
  engine.add_tuple(
    @policy.RelationTuple::new(document, "viewer", alice),
  ),
)
ignore(
  engine.add_rule(
    @policy.PolicyRule::direct_allow("document", "view", "viewer"),
  ),
)
let result = engine.check(document, "view", alice)

Run the complete inheritance and deny example:

moon run cmd/main

The repository keeps changes, tests, issues, pull requests, and release notes traceable throughout the competition.

License

Apache-2.0