raja 0.2.0__tar.gz

raja-0.2.0/PKG-INFO

@@ -0,0 +1,183 @@
+Metadata-Version: 2.3
+Name: raja
+Version: 0.2.0
+Summary: Add your description here
+Author: Dr. Ernie Prabhakar
+Author-email: Dr. Ernie Prabhakar <ernest@quilt.bio>
+Requires-Dist: pydantic>=2.7.0
+Requires-Dist: pyjwt>=2.8.0
+Requires-Dist: fastapi>=0.110.0
+Requires-Dist: mangum>=0.17.0
+Requires-Dist: aws-cdk-lib>=2.100.0 ; extra == 'aws'
+Requires-Dist: boto3>=1.34.0 ; extra == 'aws'
+Requires-Dist: constructs>=10.0.0 ; extra == 'aws'
+Requires-Dist: mypy>=1.7.0 ; extra == 'dev'
+Requires-Dist: poethepoet>=0.24.0 ; extra == 'dev'
+Requires-Dist: pytest>=8.0.0 ; extra == 'dev'
+Requires-Dist: pytest-cov>=4.1.0 ; extra == 'dev'
+Requires-Dist: pytest-watch>=4.2.0 ; extra == 'dev'
+Requires-Dist: httpx>=0.27.0 ; extra == 'dev'
+Requires-Dist: ruff>=0.1.0 ; extra == 'dev'
+Requires-Dist: boto3-stubs[dynamodb,secretsmanager,verifiedpermissions]>=1.34.0 ; extra == 'dev'
+Requires-Dist: moto>=4.2.0 ; extra == 'test'
+Requires-Dist: pytest>=8.0.0 ; extra == 'test'
+Requires-Dist: pytest-cov>=4.1.0 ; extra == 'test'
+Requires-Dist: httpx>=0.27.0 ; extra == 'test'
+Requires-Python: >=3.12
+Provides-Extra: aws
+Provides-Extra: dev
+Provides-Extra: test
+Description-Content-Type: text/markdown
+
+# RAJA
+![CI](https://github.com/quiltdata/raja/workflows/CI/badge.svg)
+![Integration Tests](https://github.com/quiltdata/raja/workflows/Integration%20Tests/badge.svg)
+![Coverage](https://codecov.io/gh/quiltdata/raja/branch/main/graph/badge.svg)
+
+**Resource Authorization JWT Authority** - Compile Cedar policies into JWT tokens for deterministic authorization.
+
+## What is RAJA?
+
+RAJA compiles Cedar authorization policies into JWT tokens with explicit scopes. This means:
+
+- Authorization decisions are **deterministic** (same token + request = same result)
+- Tokens are **transparent** (you can see exactly what permissions are granted)
+- Enforcement is **fast** (simple scope checking, no policy evaluation)
+
+## Quick Start
+
+### Installation
+
+```bash
+git clone https://github.com/quiltdata/raja.git
+cd raja
+uv sync
+```
+
+### Deploy to AWS (Control Plane)
+
+```bash
+# Deploy infrastructure
+poe cdk-deploy --all
+
+# Load Cedar policies
+python scripts/load_policies.py
+
+# Compile policies to scopes
+export RAJA_API_URL="https://your-api.execute-api.us-east-1.amazonaws.com/prod"
+python scripts/invoke_compiler.py
+```
+
+### Control Plane UI
+
+After deployment, open the API Gateway URL in your browser. The root path (`/`) renders a
+simple admin UI with live data from `/principals`, `/policies`, and `/audit`.
+
+## How It Works
+
+```text
+Cedar Policies → Compiler → JWT Scopes → Library Enforcement
+```
+
+1. **Write Cedar policies** that define who can do what
+2. **Compiler** converts policies into scope strings (e.g., `Document:doc123:read`)
+3. **Token Service** issues JWTs containing these scopes
+4. **Applications** validate tokens and check scopes locally
+
+## API Endpoints
+
+When deployed to AWS, RAJA provides:
+
+**POST /compile** - Compile Cedar policies into scopes
+
+```json
+{}
+→ {"message": "Policies compiled successfully", "policies_compiled": 3}
+```
+
+**POST /token** - Issue a JWT token
+
+```json
+{"principal": "alice"}
+→ {"token": "eyJ...", "scopes": ["Document:doc123:read"]}
+```
+
+**GET /principals** - List principals and their scopes
+
+```text
+→ {"principals": [{"principal": "alice", "scopes": [...]}]}
+
+**GET /policies** - List Cedar policies
+
+```json
+→ {"policies": [{"policyId": "..."}]}
+```
+
+**GET /audit** - View audit log entries
+```
+
+## Local Development
+
+Use the Python library standalone (no AWS required):
+
+```python
+from raja import AuthRequest, create_token, enforce
+
+# Create token with scopes
+token = create_token(
+    subject="alice",
+    scopes=["Document:doc123:read"],
+    secret="your-secret"
+)
+
+# Check authorization
+decision = enforce(
+    token_str=token,
+    request=AuthRequest(resource_type="Document", resource_id="doc123", action="read"),
+    secret="your-secret"
+)
+print(decision.allowed)  # True
+```
+
+### Run Tests
+
+```bash
+poe test-unit      # Unit tests (no AWS)
+poe test           # All tests
+poe check-all      # Format, lint, typecheck
+```
+
+## Scope Format
+
+Scopes follow the pattern: `{ResourceType}:{ResourceId}:{Action}`
+
+Examples:
+
+- `Document:doc123:read` - Read document doc123
+- `Document:*:read` - Read all documents
+- `*:*:*` - Full admin access
+
+## Project Structure
+
+```text
+raja/
+├── src/raja/           # Core Python library
+├── lambda_handlers/    # AWS Lambda handlers
+├── infra/             # CDK infrastructure
+├── policies/          # Sample Cedar policies
+└── tests/             # Test suite
+```
+
+## Documentation
+
+- **[CLAUDE.md](CLAUDE.md)** - Developer guide and architecture
+- **[specs/](specs/)** - Design specifications
+- **Module READMEs** - See CLAUDE.md files in subdirectories
+
+## Contributing
+
+See [CLAUDE.md](CLAUDE.md) for development guidelines.
+
+## License
+
+[License information to be added]

raja-0.2.0/README.md

@@ -0,0 +1,152 @@
+# RAJA
+![CI](https://github.com/quiltdata/raja/workflows/CI/badge.svg)
+![Integration Tests](https://github.com/quiltdata/raja/workflows/Integration%20Tests/badge.svg)
+![Coverage](https://codecov.io/gh/quiltdata/raja/branch/main/graph/badge.svg)
+
+**Resource Authorization JWT Authority** - Compile Cedar policies into JWT tokens for deterministic authorization.
+
+## What is RAJA?
+
+RAJA compiles Cedar authorization policies into JWT tokens with explicit scopes. This means:
+
+- Authorization decisions are **deterministic** (same token + request = same result)
+- Tokens are **transparent** (you can see exactly what permissions are granted)
+- Enforcement is **fast** (simple scope checking, no policy evaluation)
+
+## Quick Start
+
+### Installation
+
+```bash
+git clone https://github.com/quiltdata/raja.git
+cd raja
+uv sync
+```
+
+### Deploy to AWS (Control Plane)
+
+```bash
+# Deploy infrastructure
+poe cdk-deploy --all
+
+# Load Cedar policies
+python scripts/load_policies.py
+
+# Compile policies to scopes
+export RAJA_API_URL="https://your-api.execute-api.us-east-1.amazonaws.com/prod"
+python scripts/invoke_compiler.py
+```
+
+### Control Plane UI
+
+After deployment, open the API Gateway URL in your browser. The root path (`/`) renders a
+simple admin UI with live data from `/principals`, `/policies`, and `/audit`.
+
+## How It Works
+
+```text
+Cedar Policies → Compiler → JWT Scopes → Library Enforcement
+```
+
+1. **Write Cedar policies** that define who can do what
+2. **Compiler** converts policies into scope strings (e.g., `Document:doc123:read`)
+3. **Token Service** issues JWTs containing these scopes
+4. **Applications** validate tokens and check scopes locally
+
+## API Endpoints
+
+When deployed to AWS, RAJA provides:
+
+**POST /compile** - Compile Cedar policies into scopes
+
+```json
+{}
+→ {"message": "Policies compiled successfully", "policies_compiled": 3}
+```
+
+**POST /token** - Issue a JWT token
+
+```json
+{"principal": "alice"}
+→ {"token": "eyJ...", "scopes": ["Document:doc123:read"]}
+```
+
+**GET /principals** - List principals and their scopes
+
+```text
+→ {"principals": [{"principal": "alice", "scopes": [...]}]}
+
+**GET /policies** - List Cedar policies
+
+```json
+→ {"policies": [{"policyId": "..."}]}
+```
+
+**GET /audit** - View audit log entries
+```
+
+## Local Development
+
+Use the Python library standalone (no AWS required):
+
+```python
+from raja import AuthRequest, create_token, enforce
+
+# Create token with scopes
+token = create_token(
+    subject="alice",
+    scopes=["Document:doc123:read"],
+    secret="your-secret"
+)
+
+# Check authorization
+decision = enforce(
+    token_str=token,
+    request=AuthRequest(resource_type="Document", resource_id="doc123", action="read"),
+    secret="your-secret"
+)
+print(decision.allowed)  # True
+```
+
+### Run Tests
+
+```bash
+poe test-unit      # Unit tests (no AWS)
+poe test           # All tests
+poe check-all      # Format, lint, typecheck
+```
+
+## Scope Format
+
+Scopes follow the pattern: `{ResourceType}:{ResourceId}:{Action}`
+
+Examples:
+
+- `Document:doc123:read` - Read document doc123
+- `Document:*:read` - Read all documents
+- `*:*:*` - Full admin access
+
+## Project Structure
+
+```text
+raja/
+├── src/raja/           # Core Python library
+├── lambda_handlers/    # AWS Lambda handlers
+├── infra/             # CDK infrastructure
+├── policies/          # Sample Cedar policies
+└── tests/             # Test suite
+```
+
+## Documentation
+
+- **[CLAUDE.md](CLAUDE.md)** - Developer guide and architecture
+- **[specs/](specs/)** - Design specifications
+- **Module READMEs** - See CLAUDE.md files in subdirectories
+
+## Contributing
+
+See [CLAUDE.md](CLAUDE.md) for development guidelines.
+
+## License
+
+[License information to be added]

raja-0.2.0/pyproject.toml

@@ -0,0 +1,132 @@
+[project]
+name = "raja"
+version = "0.2.0"
+description = "Add your description here"
+readme = "README.md"
+authors = [
+    { name = "Dr. Ernie Prabhakar", email = "ernest@quilt.bio" }
+]
+requires-python = ">=3.12"
+dependencies = [
+    "pydantic>=2.7.0",
+    "PyJWT>=2.8.0",
+    "fastapi>=0.110.0",
+    "mangum>=0.17.0",
+]
+
+[project.optional-dependencies]
+dev = [
+    "mypy>=1.7.0",
+    "poethepoet>=0.24.0",
+    "pytest>=8.0.0",
+    "pytest-cov>=4.1.0",
+    "pytest-watch>=4.2.0",
+    "httpx>=0.27.0",
+    "ruff>=0.1.0",
+    "boto3-stubs[dynamodb,secretsmanager,verifiedpermissions]>=1.34.0",
+]
+
+aws = [
+    "aws-cdk-lib>=2.100.0",
+    "boto3>=1.34.0",
+    "constructs>=10.0.0",
+]
+
+test = [
+    "moto>=4.2.0",
+    "pytest>=8.0.0",
+    "pytest-cov>=4.1.0",
+    "httpx>=0.27.0",
+]
+
+[build-system]
+requires = ["uv_build>=0.9.17,<0.10.0"]
+build-backend = "uv_build"
+
+[tool.ruff]
+target-version = "py312"
+line-length = 100
+extend-exclude = ["infra/cdk.out", "infra/cdk.out*"]
+
+[tool.ruff.lint]
+select = [
+    "E",   # pycodestyle errors
+    "W",   # pycodestyle warnings
+    "F",   # pyflakes
+    "I",   # isort
+    "B",   # flake8-bugbear
+    "C4",  # flake8-comprehensions
+    "UP",  # pyupgrade
+]
+ignore = []
+
+[tool.ruff.format]
+quote-style = "double"
+indent-style = "space"
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+python_files = ["test_*.py"]
+python_classes = ["Test*"]
+python_functions = ["test_*"]
+addopts = [
+    "--strict-markers",
+    "--strict-config",
+    "--showlocals",
+]
+markers = [
+    "unit: Unit tests (no external dependencies)",
+    "integration: tests that require deployed AWS resources",
+    "hypothesis: tests that validate RAJA claims",
+    "slow: Slow-running tests",
+]
+
+[tool.poe.tasks]
+npx-verify = { cmd = "bash -lc 'command -v npx >/dev/null 2>&1 || { echo \"npx not found; install Node.js to use CDK tasks\"; exit 1; }'", help = "Verify npx is available for CDK tasks" }
+format = { cmd = "ruff format src tests infra lambda_handlers", help = "Format code with ruff" }
+format-check = { cmd = "ruff format src tests infra lambda_handlers --check", help = "Check formatting with ruff" }
+lint-check-only = { cmd = "ruff check src tests infra lambda_handlers", help = "Lint code with ruff" }
+lint = { sequence = ["format", "lint-fix", "typecheck"], help = "Format, fix lint, and run typecheck" }
+lint-check = { sequence = ["format-check", "lint-check-only", "typecheck"], help = "Check formatting, lint, and typecheck" }
+lint-fix = { cmd = "ruff check --fix src tests infra lambda_handlers", help = "Auto-fix lint issues" }
+typecheck = { cmd = "mypy src", help = "Run type checker" }
+check = { sequence = ["lint-check"], help = "Run all quality checks" }
+check-all = { sequence = ["lint"], help = "Format, lint, and typecheck" }
+test = { cmd = "pytest tests/ -v", help = "Run all tests" }
+test-unit = { cmd = "pytest tests/unit/ -v", help = "Run unit tests only" }
+test-integration = { cmd = "pytest tests/integration/ -v", help = "Run integration tests" }
+test-hypothesis = { cmd = "pytest tests/hypothesis/ -v", help = "Run hypothesis validation tests" }
+test-cov = { cmd = "pytest tests/ --cov=src/raja --cov-report=html --cov-report=term", help = "Run tests with coverage" }
+test-watch = { cmd = "pytest-watch tests/ -- -v", help = "Run tests in watch mode" }
+test-all-parallel = { parallel = ["test-unit", "test-integration"], help = "Run unit and integration tests in parallel" }
+build = { cmd = "uv build", help = "Build package" }
+clean = { cmd = "rm -rf dist/ build/ *.egg-info .pytest_cache .mypy_cache .ruff_cache htmlcov/", help = "Clean build artifacts" }
+install = { cmd = "uv pip install -e .", help = "Install package locally" }
+cdk-synth-cmd = { cmd = "cd infra && npx cdk synth", help = "Synthesize CDK stack" }
+cdk-diff-cmd = { cmd = "cd infra && npx cdk diff", help = "Show CDK changes" }
+cdk-deploy-cmd = { shell = "cd infra && npx cdk deploy --all --require-approval never --progress bar", help = "Deploy CDK stack" }
+cdk-destroy-cmd = { cmd = "cd infra && npx cdk destroy --all --force", help = "Destroy CDK stack" }
+cdk-synth = { sequence = ["npx-verify", "cdk-synth-cmd"], help = "Synthesize CDK stack" }
+cdk-diff = { sequence = ["npx-verify", "cdk-diff-cmd"], help = "Show CDK changes" }
+cdk-deploy = { sequence = ["npx-verify", "cdk-deploy-cmd"], help = "Deploy CDK stack" }
+cdk-destroy = { sequence = ["npx-verify", "cdk-destroy-cmd"], help = "Destroy CDK stack" }
+load-policies = { cmd = "python scripts/load_policies.py", help = "Load Cedar policies to AVP" }
+compile-policies = { cmd = "python scripts/invoke_compiler.py", help = "Compile policies to scopes" }
+seed-test-data = { cmd = "python scripts/seed_test_data.py", help = "Seed integration test principals into DynamoDB" }
+docs = { cmd = "cd docs && make html", help = "Build documentation (placeholder)" }
+repl = { cmd = "uv run python", help = "Start Python REPL" }
+shell = { cmd = "uv run bash", help = "Start project shell" }
+tag = { script = "scripts.release:create_tag", help = "Create and push a git tag for release (runs checks first)" }
+
+[tool.mypy]
+python_version = "3.12"
+warn_return_any = true
+warn_unused_configs = true
+disallow_untyped_defs = true
+disallow_any_generics = true
+check_untyped_defs = true
+no_implicit_optional = true
+warn_redundant_casts = true
+warn_unused_ignores = true
+warn_no_return = true
+strict_equality = true