PARC Request Model (v0.1.2)
This document defines Kernite’s request model using a Cedar-style PARC shape:principalaction(represented asoperation)resourcecontext
Why PARC
Kernite’s purpose is deterministic policy decisions with machine-operable feedback. PARC is a strong fit because:- It keeps authorization intent explicit instead of hiding behavior in ad hoc payload fields.
- It supports both RBAC and ABAC patterns without changing the contract shape.
- It maps well to relationship operations like
associate, where actor and resource context matter.
Request Shape
POST /v1/execute accepts:
workspace_id(required)object_type(required)operation(required)principal(required object)payload(required object)resource(optional object)context(optional object)policy_context(optional object)
Policy Conditions (when-style)
Kernite supports policy-level conditions that mirror Cedar-style when intent.
Each condition is an object:
left: dot-path into normalized request contextop:eqorneqright: comparison value
left path:
operationobject_typeprincipal.*resource.*context.*payload.*
Validation and Execute Boundary
/v1/execute is the external PEP boundary and always runs:
- request validation and normalization
- policy evaluation
Compatibility Notes
operation=associateis supported in v0.1.2.- Existing v1 response contract fields remain stable.
conditionsare additive and optional; policies without conditions keep previous behavior.