docs: rewrite multitenant rbac example with OPL

[DavudSafarli]

Replaces the outdated keto RBAC example

Summary by CodeRabbit

• New Features
  • Expanded permission-expression parsing to recognize more natural sentence forms (e.g., "allowed to", optional "perform", and additional connector words) and to accept more permissive action tokens (including dot-containing actions).
• Tests
  • Added tests covering the new declarative forms, including "allowed to" and dot-containing action names.

[Copilot]

Pull request overview

This PR updates the Ory Keto RBAC documentation and associated syntax highlighting to reflect an OPL-based, multi-tenant-friendly modeling approach instead of the older RBAC example.

Changes:

• Rewrites the RBAC guide to demonstrate tenant-scoped RBAC modeling in OPL, including role management flows.
• Extends the keto-natural Prism grammar to support dotted permission names (e.g. users.list, reports.view) and the optional perform keyword.
• Updates Jest Prism tokenization tests and snapshots to cover the new grammar behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.

File	Description
tests/jest/prism/ketoRelationsPermissionsPrism.test.ts	Adds a new declarative test case for dotted permission names in keto-natural.
tests/jest/prism/snapshots/ketoRelationsPermissionsPrism.test.ts.snap	Refreshes snapshots to match the updated tokenizer behavior and new test case.
src/theme/ketoRelationsPermissionsPrism.js	Updates regexes/tokenization rules to accept dotted relations/permits and perform.
docs/keto/guides/rbac.mdx	Replaces the RBAC guide content with an OPL-based, multi-tenant RBAC example and guidance.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 10eb4dcf-cbd0-4627-b185-eb158f6bf237

📥 Commits

Reviewing files that changed from the base of the PR and between c405eed and a008d43.

⛔ Files ignored due to path filters (2)

• docs/keto/guides/rbac.mdx is excluded by !**/*.mdx
• tests/jest/prism/__snapshots__/ketoRelationsPermissionsPrism.test.ts.snap is excluded by !**/*.snap

📒 Files selected for processing (2)

• src/theme/ketoRelationsPermissionsPrism.js
• tests/jest/prism/ketoRelationsPermissionsPrism.test.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• tests/jest/prism/ketoRelationsPermissionsPrism.test.ts
• src/theme/ketoRelationsPermissionsPrism.js

---

📝 Walkthrough

Walkthrough

The PR extends the keto-natural Prism grammar to recognize additional sentence forms, including "allowed to" and "perform" phrases, with refined lookahead-based placeholder matching and adjusted keyword/permit token ordering. Two new test cases validate these expanded patterns.

Changes

Grammar and Test Expansion for "Allowed To" Constructs

Layer / File(s)	Summary
Pattern Foundation src/theme/ketoRelationsPermissionsPrism.js (lines 24–28)	Updated "natural-placeholder" to use lookahead-based regex ensuring presence of Subject/Relation/Object placeholders.
Declarative Grammar Core src/theme/ketoRelationsPermissionsPrism.js (lines 71–102)	Extended the "natural" block to support broader sentence structures, added "allowed to" and "perform" keywords, introduced flexible permit token, and refined tokenization of subject and object elements.
Permission Check Grammar src/theme/ketoRelationsPermissionsPrism.js (lines 103–134)	Expanded "natural-check" pattern to support "allowed to" and related constructs with updated keyword sets and reordered permit patterns before keywords.
Test Coverage tests/jest/prism/ketoRelationsPermissionsPrism.test.ts (lines 50–56)	Added two new declarative test cases: "allowed to access to" and "allowed to perform" with dot-notation relations.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 The grammar hops with newfound grace,
"Allowed to" finds its proper place,
With "perform" and dots dancing free,
Prism patterns bloom in harmony!
Regex magic, tests aligned—
A parser's joy, perfectly defined! 🌿

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title 'docs: rewrite multitenant rbac example with OPL' is specific and accurate, but the actual changes are to the Prism grammar file and tests, not documentation or examples.	Update the title to reflect the actual changes: something like 'feat: expand keto-natural Prism grammar patterns' or adjust the PR scope to match the documentation rewrite objective.
Description check	⚠️ Warning	The PR description is minimal and vague, missing required sections from the template including related issues, design documents, and completion of the provided checklist.	Complete the PR description by including a related issue link, explaining the changes in detail, and checking off applicable items in the provided checklist template.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch keto-d-update-rbac-example

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

tests/jest/prism/ketoRelationsPermissionsPrism.test.ts (1)

59-72: ⚡ Quick win

Add a question-form test for perform and dotted actions.

natural-check (lines 106 / 130 / 132 in src/theme/ketoRelationsPermissionsPrism.js) was updated to accept (?:perform )? and dotted permits, but questionTestCases doesn't exercise either path. Without a snapshot here, regressions in the question grammar's perform / dotted-action handling will go undetected.

🧪 Suggested additional test cases

   const questionTestCases = [
     {
       name: "simple question: is User:Bob allowed to view on Document:X",
       input: "is User:Bob allowed to view on Document:X",
     },
     {
       name: "question with 'in': is User:Alice in viewers of Document:X",
       input: "is User:Alice in viewers of Document:X",
     },
     {
       name: "question with relation subject: are members of Group:XYZ allowed to view on Document:X",
       input: "are members of Group:XYZ allowed to view on Document:X",
     },
+    {
+      name: "question with 'perform' and dotted action: is User:Bob allowed to perform users.list on Document:X",
+      input: "is User:Bob allowed to perform users.list on Document:X",
+    },
   ]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/jest/prism/ketoRelationsPermissionsPrism.test.ts` around lines 59 - 72,
The questionTestCases array doesn't include cases exercising the new "perform"
optional token and dotted actions; add at least two new test entries to
questionTestCases: one with "perform" (e.g., input "is User:Bob allowed to
perform view on Document:X") and one using a dotted action/permission (e.g.,
input "is User:Bob allowed to view.read on Document:X" or similar dotted permit
form) so the grammar branch in natural-check (the updated rule accepting
(?:perform )? and dotted permits) is exercised by the test suite; update the
questionTestCases array by adding objects with descriptive name fields and the
specified input strings.

src/theme/ketoRelationsPermissionsPrism.js (1)

4-19: 💤 Low value

Update the grammar JSDoc to cover the new sentence forms.

The header docblock still only describes the original declarative/question forms. The grammar now also accepts:

• <Subject> is allowed to <action> (to|on|of) <Object> (e.g., User:Bob is allowed to access to Document:X)
• <Subject> is allowed to perform <action> <Object>
• Dotted actions (e.g., users.list)

Adding a couple of example lines here will keep the file self-documenting and match what the regex on lines 74/106 actually parses.

📝 Proposed doc additions

  * Declarative sentences:
  * - User:Bob is owner of Document:X
  * - Group:group2 is in members of Group:group1
  * - members of Group:Eng are viewers of Document:Xyz
  * - viewers of Group:Eng are in readers of Document:Xyz
  * - User:Bob is allowed to read Document:X
  * - members of Group:Eng is allowed to read Document:X
+ * - User:Bob is allowed to access to Document:X
+ * - User:Bob is allowed to perform users.list on Document:X
  *
  * Question sentences:
  * - is User:Bob allowed to view on Document:X
  * - is User:Alice in viewers of Document:X
  * - are members of Group:XYZ allowed to view on Document:X
+ * - is User:Bob allowed to perform users.list on Document:X

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/theme/ketoRelationsPermissionsPrism.js` around lines 4 - 19, Update the
top JSDoc in src/theme/ketoRelationsPermissionsPrism.js to document the new
sentence patterns parsed by the grammar: add examples for "<Subject> is allowed
to <action> (to|on|of) <Object>" (e.g., "User:Bob is allowed to access to
Document:X"), "<Subject> is allowed to perform <action> <Object>" (e.g.,
"Group:admins is allowed to perform users.list Document:Y"), and show dotted
actions like "users.list" to reflect what the regexes used in the grammar (the
patterns around the action parsing referenced near the action-related regexes)
actually accept; include a couple representative example lines in the header so
the docblock matches the parser behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/theme/ketoRelationsPermissionsPrism.js`:
- Around line 4-19: Update the top JSDoc in
src/theme/ketoRelationsPermissionsPrism.js to document the new sentence patterns
parsed by the grammar: add examples for "<Subject> is allowed to <action>
(to|on|of) <Object>" (e.g., "User:Bob is allowed to access to Document:X"),
"<Subject> is allowed to perform <action> <Object>" (e.g., "Group:admins is
allowed to perform users.list Document:Y"), and show dotted actions like
"users.list" to reflect what the regexes used in the grammar (the patterns
around the action parsing referenced near the action-related regexes) actually
accept; include a couple representative example lines in the header so the
docblock matches the parser behavior.

In `@tests/jest/prism/ketoRelationsPermissionsPrism.test.ts`:
- Around line 59-72: The questionTestCases array doesn't include cases
exercising the new "perform" optional token and dotted actions; add at least two
new test entries to questionTestCases: one with "perform" (e.g., input "is
User:Bob allowed to perform view on Document:X") and one using a dotted
action/permission (e.g., input "is User:Bob allowed to view.read on Document:X"
or similar dotted permit form) so the grammar branch in natural-check (the
updated rule accepting (?:perform )? and dotted permits) is exercised by the
test suite; update the questionTestCases array by adding objects with
descriptive name fields and the specified input strings.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 795dbdb8-3d6c-4bd6-a333-bf4572b2c48a

📥 Commits

Reviewing files that changed from the base of the PR and between 9ac94e6 and c405eed.

⛔ Files ignored due to path filters (2)

• docs/keto/guides/rbac.mdx is excluded by !**/*.mdx
• tests/jest/prism/__snapshots__/ketoRelationsPermissionsPrism.test.ts.snap is excluded by !**/*.snap

📒 Files selected for processing (2)

• src/theme/ketoRelationsPermissionsPrism.js
• tests/jest/prism/ketoRelationsPermissionsPrism.test.ts

[zepatrik]

Very good starting point! Two general improvement ideas:

1. I first had concerns because the last section on multi-tenancy is quite important and it wasn't obvious at first. Maybe it needs to be more prominent? Or the examples above should not look like a multi-tenant system as much?
2. I think we should consistently use the Sub is rel of obj notion.

[vinckr]

some style fixes:

• Always use Ory Keto, not Keto by itself
• Active voice in headlines, so for example Create a new organization instead of Creating a new organization
• Remove numbering in the headlines so Create a custom role instead of 3. Creating a custom role

for some reason I couldn't comment on the individual sections of the text, but I hope this is clear.

stoked to see this merged 🚢

[vinckr]

lgtm

[unatasha8]

1. You need to clarify what OPL stands for and link to it in the docs.
2. Clarify what 'organization' means in relation to Workspace/Project/Organization. "When Alice creates a new organization..."
3. Role ID guidance buried at the bottom on the article. This guidance rises to the level of a warning and should be shown well before any example of creating a role. Our own examples contradicts our guidance: "Suppose Alice creates a custom role called "Report Editor"."