v0.1.0

First release

A Carryall backend that reads ConductorOne Baton .c1z files. Plugs any baton-sdk connector's output (e.g. baton-github) into Authority Runtime ≥0.4.0 as an identity-graph source of truth for Carryall's runtime authorization layer.

Install

pip install carryall-baton-backend

Quick start

from carryall_baton import BatonBackend

backend = BatonBackend(
    c1z_path="./sync.c1z",
    agent_to_principal={"release-agent": "alice"},  # Carryall agent_id → GitHub username
)

Or plug in via Carryall's Backend Protocol + entry-point resolution:

{
  "backend": "baton",
  "init": {
    "c1z_path": "./sync.c1z",
    "agent_to_principal": { "release-agent": "alice" }
  }
}

export CARRYALL_SLOS_CONFIG=./backend.json
carryall shell

What works

• list_vaults, list_resources, get_metadata, check_access, read_document, query_documents — all implemented against baton-sdk's v1 schema.
• check_access tries envelope-scope match first, then direct baton-grant lookup via the agent_to_principal mapping.
• Registers as a baton entry point under the authority_runtime.backends group so load_backend() resolves it automatically.
• 18 tests passing against a programmatically-generated synthetic .c1z.

v0.1 limitations

• No protobuf decoding of resource data blobs — indexed columns only. Display names fall back to external_id.
• write_document raises NotImplementedError — baton syncs are produced by connectors, not written to by agents.

License

MIT.