# ═══════════════════════════════════════════════════════════
# AutoSnippet Constitution — 权限宪法
# ═══════════════════════════════════════════════════════════
#
# 三层权限架构:
#   ① 能力层 (capabilities) — git push --dry-run 探测物理写权限
#   ② 角色层 (roles)        — 角色权限矩阵 (action:resource)
#   ③ 治理层 (rules)        — 扁平规则引擎
#
# 双路径模式:
#   AUTH_ENABLED=false → recipes 子仓库探针自动决定角色（能力层驱动）
#   AUTH_ENABLED=true  → 登录后根据用户配置角色（角色层驱动）
# ═══════════════════════════════════════════════════════════

version: "3.0"
effective_date: "2026-02-13"

# ─── 能力探测 ─────────────────────────────────────────────
capabilities:
  git_write:
    description: "recipes 子仓库 git push 权限"
    probe: "git push --dry-run"
    # 子仓库路径（相对于 projectRoot，可自定义）
    sub_repo_dir: "AutoSnippet/recipes"
    no_subrepo: "allow"
    no_remote: "allow"
    cache_ttl: 86400

# ─── 治理规则（扁平规则替代优先级层级） ─────────────────
rules:
  - id: "destructive_confirm"
    description: "删除操作需要确认"
    check: "destructive_needs_confirmation"
  - id: "content_required"
    description: "创建 candidate/recipe 需要内容"
    check: "creation_needs_content"
  - id: "ai_no_direct_recipe"
    description: "AI 不能直接创建/批准 recipe"
    check: "ai_cannot_approve_recipe"
  - id: "batch_authorized"
    description: "批量操作需要授权"
    check: "batch_needs_authorization"

# ─── 角色定义 ─────────────────────────────────────────────
roles:
  - id: "external_agent"
    name: "External Agent"
    description: "IDE 中的外部 AI Agent（Cursor / Copilot / Claude Code）"
    permissions:
      - "read:recipes"
      - "read:guard_rules"
      - "create:candidates"
      - "submit:knowledge"
      - "read:audit_logs:self"
      - "knowledge:bootstrap"
      - "create:skills"
    constraints:
      - "不能直接修改 Recipe"
      - "不能修改 Guard 规则"
      - "不能删除任何数据"

  - id: "chat_agent"
    name: "ChatAgent"
    description: "AutoSnippet 内置 AI Agent（Dashboard 对话 / 程序化调用）"
    permissions:
      - "read:recipes"
      - "read:candidates"
      - "create:candidates"
      - "read:guard_rules"
    constraints:
      - "生成的 Candidate 必须包含完整 Reasoning"
      - "不能绕过 Guard 检查"

  - id: "contributor"
    name: "Contributor"
    description: "有子仓库但无 push 权限的团队成员（只读）"
    permissions:
      - "read:recipes"
      - "read:candidates"
      - "read:guard_rules"
      - "read:audit_logs:self"
    constraints:
      - "不能创建/修改 Recipe（无子仓库写权限）"
      - "不能修改 Guard 规则"
  - id: "visitor"
    name: "Visitor"
    description: "严格模式下的最小权限访客"
    permissions:
      - "read:recipes"
      - "read:guard_rules"
    constraints:
      - "仅可读取，不能执行任何写操作"
  - id: "developer"
    name: "开发者"
    description: "项目 Owner，完整权限"
    permissions:
      - "*"
    requires_capability:
      - "git_write"