(fork) eacl/write-schema! with SpiceDB schema DSL parser & feature validation#56
Merged
theronic merged 15 commits intofeature/write-schema-dslfrom Jan 31, 2026
Merged
Conversation
Detailed review of the write-schema! implementation identifying: - Critical missing validation for schema references - Unsupported operators not being rejected - Incomplete permission resolution logic - Test gaps and recommendations for fixes https://claude.ai/code/session_018SAGqvWbKvw5WNoMTXxcNV
- Added systematic review of each ADR decision point - Identified missing fixtures.schema file (ADR requirement) - Added Decision 8 breakdown for validation requirements - Updated recommendations with P0 for fixtures.schema - Enhanced test gaps section with fixture file requirement - Updated conclusion with ADR compliance summary https://claude.ai/code/session_018SAGqvWbKvw5WNoMTXxcNV
…cl-write-schema-w1xt3
- Add instaparse/instaparse 1.5.0 dependency to deps.edn - Remove unnecessary eacl.datomic.core require from spice_parser.clj that created a cyclic dependency (schema -> spice_parser -> core -> schema) - Add :nrepl alias to deps.edn for MCP REPL integration - Update CLAUDE.md with comprehensive nREPL setup instructions and MCP tool usage patterns This fixes test failures caused by missing dependencies and circular namespace references.
Implements two-stage schema processing: 1. Parser: accepts complete official SpiceDB grammar (wildcards, subject relations, caveats, all operators, arrow functions, etc.) 2. Validator: enforces EACL restrictions via validate-eacl-restrictions Key changes: - Rewrote Instaparse grammar for full SpiceDB syntax support - Added validate-eacl-restrictions with clear error messages - Added validate-schema-references for relation/permission checking - Updated read-schema to return rich map per ADR 012 - Added comprehensive parser and schema validation tests All 23 tests pass (273 assertions).
Highlights gaps: - P0: Comment support missing (blocking for production schemas) - P1: Expiration traits and caveat definitions not parsed - P2: self, .all(), subject relations, wildcards for future Also documents architecture notes for potential refactoring.
1. Validation error messages now clearly indicate the unsupported feature: - "Unsupported operator: Exclusion (-). EACL only supports Union (+) at this time." - "Unsupported feature: Wildcard relation 'user:*' in doc/viewer..." - etc. 2. indexed_test.clj now loads schema via write-schema! with fixtures.schema instead of directly transacting Relation/Permission fixtures. - Demonstrates that the SpiceDB DSL schema is functionally equivalent - Clojure data fixtures retained for reference All 23 tests pass (273 assertions).
Reviews improvements since initial review: - All P0 issues from ADR compliance now addressed - Schema reference validation implemented - Unsupported operators now rejected - fixtures.schema created and tested Identifies new issues: - P0: No comment support in grammar (blocking for production) - P1: Self-permission semantic equivalence unverified - P2: Minor dead code and inconsistent error sources https://claude.ai/code/session_018SAGqvWbKvw5WNoMTXxcNV
theronic
changed the title
eacl/write-schema! with SpiceDB schema DSL parser & feature validation
Previous commit accidentally broke ->> threading macros when editing indentation. Reverted test file to working state that still uses write-schema! with fixtures.schema DSL. All 24 tests pass (302 assertions).
…eronic/eacl into claude/review-eacl-write-schema-w1xt3
The alias `eacl` for `eacl.datomic.impl` conflicted with other files that alias `eacl.core` as `eacl`. This caused reload-all failures: "Alias eacl already exists in namespace eacl.datomic.fixtures" Changed to just `:refer [Relation Relationship Permission]` since the alias was unused.
Deleted indexed.clj.orig (tracked) and several untracked leftover files:
- spice_parser_{REMOTE,BASE,BACKUP,LOCAL}_35829.clj (merge conflict files)
- Various .orig backup files
These files were causing false cycle detection in Cursive IDE since the
old merge conflict files still referenced eacl.datomic.core.
Replace count-based and `some` predicate assertions with exact set comparisons for more precise testing: - Relations: check exact set of 3 relations - Permissions: check exact set of 5 permissions - Definitions: check exact set of definition keys This catches regressions that count/some tests would miss.
theronic
changed the title
eacl/write-schema! with SpiceDB schema DSL parser & feature validationeacl/write-schema! with SpiceDB schema DSL parser & feature validation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Detailed review of the write-schema! implementation identifying:
https://claude.ai/code/session_018SAGqvWbKvw5WNoMTXxcNV