Skip to content

feat: add ai-agents example schema #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tstirrat15 merged 2 commits into from
Jun 17, 2026
+75 −0
Merged

feat: add ai-agents example schema #47

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bb8e265
feat: add ai-agents example schema
sohanmaheshwar Jun 17, 2026
72e7265
fix: correct validation chain for ai-agents example
sohanmaheshwar Jun 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions schemas/ai-agents/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# AI Agents acting on behalf of a user

An AI agent inherits view access to the documents a user can read or write, but cannot edit them on its own.
72 changes: 72 additions & 0 deletions schemas/ai-agents/schema-and-data.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
---
schema: |-
/**
* an entity that can be granted permissions
*/
definition user {
/**
* users can have one or more AI agents that act on their behalf
*/
relation agent: ai_agent

/**
* the set of AI agents that may act on this user's behalf
*/
permission delegates = agent
}

/**
* an AI agent that can act on behalf of a user
*/
definition ai_agent {}

/**
* a resource that we are trying to protect
*/
definition document {
/**
* users can be made writers of specific documents
*/
relation writer: user

/**
* users can be made readers of specific documents
*/
relation reader: user

/**
* if a user has the writer relationship to a specific document, they automatically get permission to edit it
*/
permission edit = writer

/**
* a user can view a document if they are a reader (or can edit it).
* an AI agent can view a document if it acts on behalf of a reader or a writer of that document.
*/
permission view = reader + edit + reader->delegates + writer->delegates
}

relationships: |-
document:firstdoc#writer@user:tom
document:firstdoc#reader@user:fred
user:tom#agent@ai_agent:assistant_tom
user:fred#agent@ai_agent:assistant_fred

assertions:
assertTrue:
- "document:firstdoc#edit@user:tom"
- "document:firstdoc#view@user:tom"
- "document:firstdoc#view@user:fred"
- "document:firstdoc#view@ai_agent:assistant_tom"
- "document:firstdoc#view@ai_agent:assistant_fred"
assertFalse:
- "document:firstdoc#edit@user:fred"
- "document:firstdoc#edit@ai_agent:assistant_tom"
- "document:firstdoc#edit@ai_agent:assistant_fred"

validation:
document:firstdoc#view:
- "[user:tom] is <document:firstdoc#writer>"
- "[user:fred] is <document:firstdoc#reader>"
- "[ai_agent:assistant_tom] is <user:tom#agent>"
- "[ai_agent:assistant_fred] is <user:fred#agent>"
Loading