Documentation Index
Fetch the complete documentation index at: https://docs.aiparlance.org/llms.txt
Use this file to discover all available pages before exploring further.
Security
Security layer (beta v0.1). Predicates: Specification — Policies. Example: crm-reference.aip.
auth
Global default on app:
app CRM @0.1 {
auth jwt
}
| Strategy | Typical use |
|---|
jwt | Stateless APIs (recommended initial) |
session | Cookie-based web apps |
api_key | Machine-to-machine |
oauth | Social login / IdP |
app once; avoid duplicating auth jwt in api unless overriding.
policy
policy Lead {
create authenticated
read owner_or_manager(Lead.seller)
update owner_or_manager(Lead.seller)
delete role(admin)
}
Lead.seller must exist as belongs_to User.
Roles and permissions
entity User {
role: enum(admin, manager, seller) default(seller)
}
(* Proposed — not in v0.1 grammar yet *)
permission export_reports
policy Report {
read permission(export_reports)
}
permission(name) predicate in policy is supported; top-level permission declarations are preview only.
Predicates
| Predicate | Description |
|---|
public | No auth |
authenticated | Valid session/JWT |
role(name) | Global role |
permission(name) | Named permission |
owner(field) | Authenticated user matches field |
owner_or_manager(field) | Owner, manager, or admin |
custom block is reserved — do not mix hand-written SQL with generated policies in v0.1.
rate_limit and CORS
api {
rate_limit 100/minute
cors {
allow "https://app.example.com"
}
}
endpoint Login {
rate_limit 5/minute
}
SQL injection
Transpilers must emit parameterized queries / ORM only. Does not cover hand-written custom code.
Multi-target output
| Target | Artifact |
|---|
| Go | JWT middleware, handler checks |
| TypeScript | guards, decorators |
| Python | dependencies / decorators |
| PHP | policies, gates |
| OpenAPI | securitySchemes |
crm-reference.aip already includes policy Lead and api with rate limit + CORS.