Skip to content

Bind regulated data policy to capability tokens#239

Open
pshkv wants to merge 7 commits into
feat/physical-work-market-profilefrom
codex/token-bound-regulated-data-authority
Open

Bind regulated data policy to capability tokens#239
pshkv wants to merge 7 commits into
feat/physical-work-market-profilefrom
codex/token-bound-regulated-data-authority

Conversation

@pshkv

@pshkv pshkv commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • add a token-bound regulatedDataPolicy capability-token extension for data classes, purposes, processors, regions, models, context fields, and fallback routing
  • include the extension in token schema validation, issuance, signing payloads, and delegated-token inheritance
  • enforce token-bound regulated-data policy in the gateway by intersecting token authority with deployment allowlists
  • add tests proving signed policy validation, tamper rejection, token-level narrowing, context minimization, and fallback disabling
  • update regulated runtime docs to describe token-bound authority

Validation

  • CI=true npx pnpm@9.15.0 --filter @pshkv/core typecheck
  • CI=true npx pnpm@9.15.0 --filter @pshkv/gate-capability-tokens typecheck
  • CI=true npx pnpm@9.15.0 --filter @pshkv/gate-policy-gateway typecheck
  • CI=true npx pnpm@9.15.0 --filter @pshkv/core build
  • CI=true npx pnpm@9.15.0 --filter @pshkv/gate-capability-tokens build
  • CI=true npx pnpm@9.15.0 --filter @pshkv/gate-policy-gateway build
  • CI=true npx pnpm@9.15.0 --filter @pshkv/gate-capability-tokens test -- validator.test.ts delegator.test.ts issuer.test.ts
  • CI=true npx pnpm@9.15.0 --filter @pshkv/gate-policy-gateway test -- regulated-data-policy.test.ts
  • CI=true npx pnpm@9.15.0 --filter @pshkv/conformance-tests test -- src/regulated-agent-runtime-conformance.test.ts
  • CI=true npx pnpm@9.15.0 --filter @pshkv/gate-policy-gateway test
  • CI=true npx pnpm@9.15.0 --filter @pshkv/bridge-health test
  • CI=true npx pnpm@9.15.0 run docs:build

Notes

  • stacked on feat/physical-work-market-profile because it builds on the regulated runtime profile added there
  • left local untracked .codex/ config untouched

Follow-up update

  • add delegated attenuation for token-bound regulated data policy
  • reject child-token expansion of processors, regions, models, purposes, data classes, context fields, and fallback permission
  • verify delegated regulated policy remains signed and valid after attenuation

Additional validation:

  • CI=true npx pnpm@9.15.0 --filter @pshkv/gate-capability-tokens typecheck
  • CI=true npx pnpm@9.15.0 --filter @pshkv/gate-capability-tokens test -- delegator.test.ts validator.test.ts issuer.test.ts
  • CI=true npx pnpm@9.15.0 --filter @pshkv/gate-capability-tokens build
  • CI=true npx pnpm@9.15.0 --filter @pshkv/gate-policy-gateway test -- regulated-data-policy.test.ts

Conformance update

  • add token-bound regulated authority to the regulated runtime fixture
  • assert the regulatedDataPolicy signed fields are part of the profile
  • assert delegated regulated-data policy examples are attenuation-only
  • assert expansion examples fail with INSUFFICIENT_PERMISSIONS

Additional validation:

  • CI=true npx pnpm@9.15.0 --filter @pshkv/conformance-tests test -- src/regulated-agent-runtime-conformance.test.ts
  • CI=true npx pnpm@9.15.0 --filter @pshkv/conformance-tests test:fixtures

Bridge-health update

  • add buildFHIRRegulatedDataPolicy() to derive token-bound regulated data authority from FHIR mappings
  • export the helper with the existing runtime metadata helpers
  • test issued tokens that use the generated policy and gateway context minimization from token-bound fields
  • update bridge-health and quickstart docs to show token policy and request metadata together

Additional validation:

  • CI=true npx pnpm@9.15.0 --filter @pshkv/bridge-health test
  • CI=true npx pnpm@9.15.0 --filter @pshkv/gate-policy-gateway test -- regulated-data-policy.test.ts
  • CI=true npx pnpm@9.15.0 run docs:build

Bridge delegation update

  • add bridge-health coverage for generated regulated-data policy through token delegation
  • prove delegated child tokens can narrow bridge-derived context fields and trigger gateway context minimization
  • document delegated tightenRegulatedDataPolicy usage in the regulated runtime quickstart

Additional validation:

  • CI=true npx pnpm@9.15.0 --filter @pshkv/bridge-health test
  • CI=true npx pnpm@9.15.0 --filter @pshkv/bridge-health typecheck
  • CI=true npx pnpm@9.15.0 --filter @pshkv/bridge-health build
  • CI=true npx pnpm@9.15.0 run docs:build

Example update

  • update the regulated runtime example to derive token policy from bridge metadata
  • show root token issuance, delegated context-field narrowing, and token-store resolution for the child token

Additional validation:

  • CI=true npx pnpm@9.15.0 run docs:build

Bridge README update

  • align the bridge-health README with the token-bound authority flow
  • show delegated context-field narrowing next to buildFHIRRegulatedDataPolicy() usage

Additional validation:

  • CI=true npx pnpm@9.15.0 run docs:build

@pshkv pshkv marked this pull request as ready for review July 1, 2026 08:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant