Security
Security layer (beta v0.1). Predicates: Specification — Policies. Example: crm-reference.aip.auth
Global default on app:
| Strategy | Typical use |
|---|---|
jwt | Stateless APIs (recommended initial) |
session | Cookie-based web apps |
api_key | Machine-to-machine |
oauth | Social login / IdP |
app once; avoid duplicating auth jwt in api unless overriding.
policy
Lead.seller must exist as belongs_to User.
Roles and permissions
permission(name) predicate in policy is supported; top-level permission declarations are preview only.
Predicates
| Predicate | Description |
|---|---|
public | No auth |
authenticated | Valid session/JWT |
role(name) | Global role |
permission(name) | Named permission |
owner(field) | Authenticated user matches field |
owner_or_manager(field) | Owner, manager, or admin |
custom block is reserved — do not mix hand-written SQL with generated policies in v0.1.
rate_limit and CORS
SQL injection
Transpilers must emit parameterized queries / ORM only. Does not cover hand-writtencustom code.
Multi-target output
| Target | Artifact |
|---|---|
| Go | JWT middleware, handler checks |
| TypeScript | guards, decorators |
| Python | dependencies / decorators |
| PHP | policies, gates |
| OpenAPI | securitySchemes |
crm-reference.aip already includes policy Lead and api with rate limit + CORS.