stigmem-plugin-memory-garden-acl 0.1.0__tar.gz

stigmem_plugin_memory_garden_acl-0.1.0/.gitignore

@@ -0,0 +1,70 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.egg-info/
+.eggs/
+dist/
+build/
+.venv/
+venv/
+.uv/
+.mypy_cache/
+.ruff_cache/
+.pytest_cache/
+htmlcov/
+.coverage
+coverage.xml
+*.cover
+coverage/
+
+# Node / pnpm
+node_modules/
+.next/
+.turbo/
+.jscpd/
+.pnpm-store/
+dist/
+*.tsbuildinfo
+apps/dashboard/coverage/
+adapters/mcp/coverage/
+sdks/stigmem-ts/coverage/
+
+# Environment
+.env
+.env.local
+.env.*.local
+
+# Release signing keys — public keys are attached to GitHub Releases only;
+# private keys must NEVER be committed (use offline storage).
+stigmem-release-signing-key.asc
+stigmem-release-signing-key*.asc
+*private*signing*key*.asc
+*secret*signing*key*.asc
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Local Codex project instructions
+AGENTS.md
+
+# Docker
+*.log
+
+# Stigmem runtime (DB and logs are runtime state, not source)
+data/*.db
+data/*.db-shm
+data/*.db-wal
+stigmem.db
+stigmem.db-shm
+stigmem.db-wal
+logs/
+# Eval results (CI-generated artifacts)
+eval/results/

stigmem_plugin_memory_garden_acl-0.1.0/PKG-INFO

@@ -0,0 +1,105 @@
+Metadata-Version: 2.4
+Name: stigmem-plugin-memory-garden-acl
+Version: 0.1.0
+Summary: Experimental Memory Garden advanced ACL plugin for Stigmem.
+Project-URL: Homepage, https://github.com/eidetic-labs/stigmem
+Project-URL: Documentation, https://github.com/eidetic-labs/stigmem/tree/main/features/memory-garden-acl
+Project-URL: Repository, https://github.com/eidetic-labs/stigmem
+Project-URL: Issues, https://github.com/eidetic-labs/stigmem/issues
+Author-email: Eidetic Labs <oss@eidetic-labs.ai>
+License: Apache-2.0
+Keywords: acl,authorization,memory-garden,plugins,stigmem
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Scientific/Engineering :: Artificial Intelligence
+Requires-Python: >=3.11
+Requires-Dist: pydantic<3,>=2
+Requires-Dist: stigmem-node<1.0.0,>=0.9.0a8
+Description-Content-Type: text/markdown
+
+# Stigmem Memory Garden Advanced ACL Plugin
+
+Experimental advanced Memory Garden ACL plugin for Stigmem.
+
+This package provides the `stigmem-plugin-memory-garden-acl` source package for
+alpha validation. It registers through the `stigmem.plugins` entry point group
+and is loaded by `stigmem-node` only when explicitly installed and configured by
+an operator.
+
+## Status
+
+Advanced Memory Garden ACL behavior remains experimental. Basic garden CRUD,
+membership, and direct garden fact guards remain core. Installing this package
+does not activate advanced cross-surface ACL behavior unless the plugin is
+registered and the operator enables the relevant gates.
+
+The package metadata is publication-shaped for the plugin readiness track, but
+registry publication remains on hold until dry-run evidence and maintainer
+clearance are recorded. See the feature record under
+`features/memory-garden-acl/` for the current status, evidence, and security
+notes.
+
+## Installation
+
+```bash
+pip install --pre stigmem-node==0.9.0a8 stigmem-plugin-memory-garden-acl==0.1.0
+```
+
+## Enable
+
+Set the plugin gate environment variable to opt in:
+
+```bash
+export STIGMEM_MEMORY_GARDEN_ACL_ENABLED=1
+```
+
+The default install is inert; advanced ACL hook behavior only activates when
+the package is installed, discovered through the `stigmem.plugins` entry point,
+and the operator enables the gate. Enforcement gates such as
+`STIGMEM_MEMORY_GARDEN_ACL_ENFORCE_ASSERT_AUTHORIZE` and
+`STIGMEM_MEMORY_GARDEN_ACL_ENFORCE_RECALL_AUTHORIZE` remain separately opt-in.
+
+## Disable
+
+Unset the plugin gate environment variable, or set it to any value other than
+`1`, `true`, `yes`, or `on`:
+
+```bash
+unset STIGMEM_MEMORY_GARDEN_ACL_ENABLED
+```
+
+The plugin returns to inert state at the next process start. No data migration
+is required; core garden CRUD, membership, scope, tenant, and audit enforcement
+continues to hold.
+
+## Test
+
+From a Stigmem repository checkout with development dependencies installed:
+
+```bash
+uv run pytest node/tests/plugins/test_memory_garden_acl_plugin_scaffold.py \
+  node/tests/plugins/test_memory_garden_acl_plugin_validation.py
+```
+
+The package itself ships no separate test tree; upstream plugin validation
+lives in `node/tests/plugins/`.
+
+## Uninstall
+
+```bash
+pip uninstall stigmem-plugin-memory-garden-acl
+```
+
+Removing the package is sufficient. The gate environment variable becomes moot
+once the entry point is no longer discoverable.
+
+## Project Links
+
+- Repository: <https://github.com/eidetic-labs/stigmem>
+- Feature record: <https://github.com/eidetic-labs/stigmem/tree/main/features/memory-garden-acl>
+- Plugin source: <https://github.com/eidetic-labs/stigmem/tree/main/experimental/memory-garden-acl>
+- Issue tracker: <https://github.com/eidetic-labs/stigmem/issues>

stigmem_plugin_memory_garden_acl-0.1.0/README.md

@@ -0,0 +1,82 @@
+# Stigmem Memory Garden Advanced ACL Plugin
+
+Experimental advanced Memory Garden ACL plugin for Stigmem.
+
+This package provides the `stigmem-plugin-memory-garden-acl` source package for
+alpha validation. It registers through the `stigmem.plugins` entry point group
+and is loaded by `stigmem-node` only when explicitly installed and configured by
+an operator.
+
+## Status
+
+Advanced Memory Garden ACL behavior remains experimental. Basic garden CRUD,
+membership, and direct garden fact guards remain core. Installing this package
+does not activate advanced cross-surface ACL behavior unless the plugin is
+registered and the operator enables the relevant gates.
+
+The package metadata is publication-shaped for the plugin readiness track, but
+registry publication remains on hold until dry-run evidence and maintainer
+clearance are recorded. See the feature record under
+`features/memory-garden-acl/` for the current status, evidence, and security
+notes.
+
+## Installation
+
+```bash
+pip install --pre stigmem-node==0.9.0a8 stigmem-plugin-memory-garden-acl==0.1.0
+```
+
+## Enable
+
+Set the plugin gate environment variable to opt in:
+
+```bash
+export STIGMEM_MEMORY_GARDEN_ACL_ENABLED=1
+```
+
+The default install is inert; advanced ACL hook behavior only activates when
+the package is installed, discovered through the `stigmem.plugins` entry point,
+and the operator enables the gate. Enforcement gates such as
+`STIGMEM_MEMORY_GARDEN_ACL_ENFORCE_ASSERT_AUTHORIZE` and
+`STIGMEM_MEMORY_GARDEN_ACL_ENFORCE_RECALL_AUTHORIZE` remain separately opt-in.
+
+## Disable
+
+Unset the plugin gate environment variable, or set it to any value other than
+`1`, `true`, `yes`, or `on`:
+
+```bash
+unset STIGMEM_MEMORY_GARDEN_ACL_ENABLED
+```
+
+The plugin returns to inert state at the next process start. No data migration
+is required; core garden CRUD, membership, scope, tenant, and audit enforcement
+continues to hold.
+
+## Test
+
+From a Stigmem repository checkout with development dependencies installed:
+
+```bash
+uv run pytest node/tests/plugins/test_memory_garden_acl_plugin_scaffold.py \
+  node/tests/plugins/test_memory_garden_acl_plugin_validation.py
+```
+
+The package itself ships no separate test tree; upstream plugin validation
+lives in `node/tests/plugins/`.
+
+## Uninstall
+
+```bash
+pip uninstall stigmem-plugin-memory-garden-acl
+```
+
+Removing the package is sufficient. The gate environment variable becomes moot
+once the entry point is no longer discoverable.
+
+## Project Links
+
+- Repository: <https://github.com/eidetic-labs/stigmem>
+- Feature record: <https://github.com/eidetic-labs/stigmem/tree/main/features/memory-garden-acl>
+- Plugin source: <https://github.com/eidetic-labs/stigmem/tree/main/experimental/memory-garden-acl>
+- Issue tracker: <https://github.com/eidetic-labs/stigmem/issues>

stigmem_plugin_memory_garden_acl-0.1.0/STATUS.md

@@ -0,0 +1,18 @@
+# Spec-X5-Memory-Garden-Advanced-ACL Status
+
+This file is a compatibility pointer for existing
+`experimental/memory-garden-acl/` links.
+
+The canonical ADR-020 status record now lives at
+[`features/memory-garden-acl/status.md`](../../features/memory-garden-acl/status.md).
+
+Current summary:
+
+- Status: `active`
+- Stability: `experimental`
+- Default surface: `opt-in`
+- Implementation path: `experimental/memory-garden-acl/`
+- Package: `stigmem-plugin-memory-garden-acl`
+
+The implementation package remains here during transition. Product status,
+gates, history, and release-facing facts belong in the feature record.

stigmem_plugin_memory_garden_acl-0.1.0/pyproject.toml

@@ -0,0 +1,52 @@
+[project]
+name = "stigmem-plugin-memory-garden-acl"
+version = "0.1.0"
+description = "Experimental Memory Garden advanced ACL plugin for Stigmem."
+readme = "README.md"
+requires-python = ">=3.11"
+license = { text = "Apache-2.0" }
+authors = [
+  { name = "Eidetic Labs", email = "oss@eidetic-labs.ai" },
+]
+keywords = ["stigmem", "plugins", "memory-garden", "acl", "authorization"]
+classifiers = [
+  "Development Status :: 3 - Alpha",
+  "Intended Audience :: Developers",
+  "License :: OSI Approved :: Apache Software License",
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3.11",
+  "Programming Language :: Python :: 3.12",
+  "Topic :: Scientific/Engineering :: Artificial Intelligence",
+]
+dependencies = [
+    "pydantic>=2,<3",
+    "stigmem-node>=0.9.0a8,<1.0.0",
+]
+
+[project.entry-points."stigmem.plugins"]
+memory-garden-acl = "stigmem_plugin_memory_garden_acl:plugin_manifest"
+
+[project.urls]
+Homepage = "https://github.com/eidetic-labs/stigmem"
+Documentation = "https://github.com/eidetic-labs/stigmem/tree/main/features/memory-garden-acl"
+Repository = "https://github.com/eidetic-labs/stigmem"
+Issues = "https://github.com/eidetic-labs/stigmem/issues"
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/stigmem_plugin_memory_garden_acl"]
+
+[tool.hatch.build.targets.wheel.sources]
+"src" = ""
+
+[tool.hatch.build.targets.sdist]
+include = [
+  "README.md",
+  "STATUS.md",
+  "security.md",
+  "spec.md",
+  "src/stigmem_plugin_memory_garden_acl/**/*.py",
+]

stigmem_plugin_memory_garden_acl-0.1.0/security.md

@@ -0,0 +1,26 @@
+---
+feature: memory-garden-acl
+spec_id: Spec-X5-Memory-Garden-Advanced-ACL
+status: Experimental
+applies_to: stigmem v0.9.0a1
+last_updated: 2026-05-21
+owned_risks: []
+contributed_risks:
+  - R-21
+---
+
+# Memory Garden ACL Security
+
+This file is a compatibility pointer for existing
+`experimental/memory-garden-acl/` security links.
+
+The canonical ADR-020 security record now lives at
+[`features/memory-garden-acl/security.md`](../../features/memory-garden-acl/security.md).
+
+Current risk summary:
+
+- Owned risks: none.
+- Contributed risks: R-21 agent feedback-loop worm.
+
+Product security analysis, operator scenarios, conformance pointers, residual
+risk, and advisory history belong in the feature record.

stigmem_plugin_memory_garden_acl-0.1.0/spec.md

@@ -0,0 +1,31 @@
+---
+spec_id: Spec-X5-Memory-Garden-Advanced-ACL
+version: 0.1.0-alpha.0
+status: Experimental
+applies_to: future experimental plugin line
+last_updated: 2026-05-21
+supersedes: pre-reset section 17 advanced Memory Garden ACL material
+depends_on:
+  - Spec-01-Fact-Model >= 0.1.0-alpha.0
+  - Spec-02-Scopes-and-ACL >= 0.1.0-alpha.0
+title: Memory Garden Advanced ACL
+sidebar_label: Memory Garden Advanced ACL
+audience: Spec
+description: "Compatibility pointer for advanced Memory Garden ACL semantics."
+stability: experimental
+since: 0.9.0a1
+---
+
+# Spec-X5-Memory-Garden-Advanced-ACL
+
+This file is a compatibility pointer for existing
+`experimental/memory-garden-acl/` links and for the generated protocol index.
+
+The canonical ADR-020 feature record now lives at
+[`features/memory-garden-acl/`](../../features/memory-garden-acl/). The
+canonical normative spec is
+[`features/memory-garden-acl/spec.md`](../../features/memory-garden-acl/spec.md).
+
+The implementation package remains in `experimental/memory-garden-acl/` during
+the transition. The feature record owns product truth; this directory owns the
+current source package until a future packaging move is explicitly planned.

stigmem_plugin_memory_garden_acl-0.1.0/src/stigmem_plugin_memory_garden_acl/__init__.py

@@ -0,0 +1,12 @@
+"""Experimental Memory Garden advanced ACL plugin scaffold."""
+
+from __future__ import annotations
+
+from .config import MemoryGardenAclConfig
+from .manifest import PLUGIN_NAME, plugin_manifest
+
+__all__ = [
+    "PLUGIN_NAME",
+    "MemoryGardenAclConfig",
+    "plugin_manifest",
+]

stigmem_plugin_memory_garden_acl-0.1.0/src/stigmem_plugin_memory_garden_acl/config.py

@@ -0,0 +1,44 @@
+"""Configuration schema for the Memory Garden advanced ACL plugin."""
+
+from __future__ import annotations
+
+import os
+from collections.abc import Mapping
+
+from pydantic import BaseModel
+
+
+class MemoryGardenAclConfig(BaseModel):
+    """Operator-controlled gates for experimental advanced garden ACL behavior."""
+
+    enabled: bool = False
+    enforce_assert_authorize: bool = False
+    enforce_recall_authorize: bool = False
+    apply_recall_filter: bool = False
+    enable_oidc_permission_ceiling: bool = False
+
+
+def load_config_from_env(
+    environ: Mapping[str, str] | None = None,
+) -> MemoryGardenAclConfig:
+    """Load advanced garden ACL plugin gates from environment variables."""
+
+    env = environ if environ is not None else os.environ
+    prefix = "STIGMEM_MEMORY_GARDEN_ACL_"
+    return MemoryGardenAclConfig(
+        enabled=_env_bool(env, f"{prefix}ENABLED"),
+        enforce_assert_authorize=_env_bool(env, f"{prefix}ENFORCE_ASSERT_AUTHORIZE"),
+        enforce_recall_authorize=_env_bool(env, f"{prefix}ENFORCE_RECALL_AUTHORIZE"),
+        apply_recall_filter=_env_bool(env, f"{prefix}APPLY_RECALL_FILTER"),
+        enable_oidc_permission_ceiling=_env_bool(
+            env,
+            f"{prefix}ENABLE_OIDC_PERMISSION_CEILING",
+        ),
+    )
+
+
+def _env_bool(env: Mapping[str, str], name: str, *, default: bool = False) -> bool:
+    raw = env.get(name)
+    if raw is None:
+        return default
+    return raw.strip().lower() in {"1", "true", "yes", "on"}

stigmem_plugin_memory_garden_acl-0.1.0/src/stigmem_plugin_memory_garden_acl/handlers.py

@@ -0,0 +1,61 @@
+"""Hook handlers for the Memory Garden advanced ACL plugin scaffold."""
+
+from __future__ import annotations
+
+from typing import Any, TypeVar
+
+from stigmem_node.plugins import Allow, PluginContext, PluginHealth, PluginHealthStatus
+
+T = TypeVar("T")
+PLUGIN_NAME = "stigmem-plugin-memory-garden-acl"
+
+
+def pre_assert_authorize(_ctx: PluginContext, **_: Any) -> Allow:
+    """Stub: scaffold returns Allow().
+
+    A future implementation is expected to enforce write-side garden membership
+    for advanced ACL policy. If this scaffold handler raises, returns ``None``,
+    or the plugin fails to load, the core hook path remains fail-open. Core fallback:
+    direct ``garden_id`` writes are still governed by the
+    ``require_garden_write`` guard. Operators relying on advanced write-side
+    enforcement must verify the plugin is registered, healthy, and configured
+    for their deployment.
+    """
+
+    return Allow()
+
+
+def pre_recall_authorize(_ctx: PluginContext, **_: Any) -> Allow:
+    """Stub: scaffold returns Allow().
+
+    A future implementation is expected to authorize advanced recall access
+    before ranking or traversal. If this scaffold handler raises, returns
+    ``None``, or the plugin fails to load, the hook path remains fail-open and
+    core fallback behavior applies: direct garden reads are guarded, while
+    tenant-wide recall authorization is not narrowed by this plugin.
+    """
+
+    return Allow()
+
+
+def recall_filter(_ctx: PluginContext, value: T, **_: Any) -> T:
+    """Stub: scaffold preserves the incoming recall value.
+
+    A future implementation is expected to remove facts and graph edges the
+    caller cannot see through advanced garden membership. If this scaffold
+    handler raises, returns ``None``, or the plugin fails to load, filtering
+    remains fail-open. Core fallback behavior still protects explicit
+    ``garden_id`` reads, but tenant-wide queries, recall ranking, subscription
+    delivery, and graph traversal are not filtered by advanced ACL policy.
+    """
+
+    return value
+
+
+def health_check(_ctx: PluginContext) -> PluginHealth:
+    """Report scaffold health for registry lifecycle tests."""
+
+    return PluginHealth(
+        status=PluginHealthStatus.HEALTHY,
+        message="memory garden ACL plugin scaffold registered",
+    )

stigmem_plugin_memory_garden_acl-0.1.0/src/stigmem_plugin_memory_garden_acl/manifest.py

@@ -0,0 +1,41 @@
+"""Plugin manifest factory for Memory Garden advanced ACL."""
+
+from __future__ import annotations
+
+from stigmem_node.plugins import PluginManifest
+
+from . import handlers
+from .config import MemoryGardenAclConfig
+
+PLUGIN_NAME = "stigmem-plugin-memory-garden-acl"
+PLUGIN_VERSION = "0.1.0"
+REQUIRES_STIGMEM = ">=0.9.0a3"
+
+
+def plugin_manifest() -> PluginManifest:
+    """Return the entry-point manifest consumed by ``stigmem.plugins`` discovery."""
+
+    return PluginManifest(
+        name=PLUGIN_NAME,
+        version=PLUGIN_VERSION,
+        requires_stigmem=REQUIRES_STIGMEM,
+        capabilities=frozenset(
+            {
+                "facts.read",
+                "facts.write",
+                "recall.read",
+                "identity.read",
+                "audit.emit",
+                "config.read",
+            }
+        ),
+        hooks={
+            "pre_assert_authorize": handlers.pre_assert_authorize,
+            "pre_recall_authorize": handlers.pre_recall_authorize,
+            "recall_filter": handlers.recall_filter,
+        },
+        routes=(),
+        config_schema=MemoryGardenAclConfig,
+        health_check=handlers.health_check,
+        async_safe=True,
+    )