ibexharness
DocsBlogReleasesRoadmap
GitHub
ibexharness

Documentation

Architecture Decision RecordsADR-0002: Repository foundation bootstrapADR-0003: Branch protection and merge policyADR-0004: Protobuf and code generation policyADR-0005: Postgres migration strategyADR-0006: Auth protobuf contract (`ibex.auth.v1`)ADR-0007: Auth token validation implementationADR-0008: Security scanning and CI quality gatesADR-0009: Permission bitmap layoutADR-0010: Cryptography policyADR-0011: Proxy auth gRPC client and middlewareADR-0012: Proxy request normalization (OpenAI chat)ADR-0013: Proxy input validation and stable error envelopeADR-0014: Core domain migration sequencingADR-0015: Proxy rate limit skeleton (Phase 1)ADR-0016: Proxy agent identity verification (Phase 1)ADR-0017: Request ID and trace context strategy (Phase 1)ADR-0018: Graceful shutdown contract (Phase 1)ADR-0019: OpenTelemetry provider configuration (Phase 1)ADR-0020: Shared package boundaries — `packages/config` and `packages/apierror`ADR-0021: Prometheus Metric Catalog (Phase 1)ADR-0022: Health check contract (Phase 1)ADR-0023: Docs site architecture (Phase 1.5)
ADRs›ADR-0009: Permission bitmap layout
ADRs

ADR-0009: Permission bitmap layout

Architecture decision record 0009.

ADR-0009: Permission bitmap layout

  • Status: Accepted
  • Date: 2026-06-04
  • Authors: IBEX Harness team

Context

The 64-bit permission bitmap is stored on ibex_core.tokens.permissions and returned by ValidateToken. Multiple docs reference the layout, but no single Go package or ADR locked the bit assignments. Milestone 1.1.5 establishes the contract before token management (1.1.4) and proxy auth (1.2.1) enforce permission checks.

Decision

1) Canonical implementation

  • Package: packages/permissions (github.com/Rick1330/ibex-harness/packages/permissions)
  • Helpers: Has, HasAny, RequiresMFA, UsesReservedHighBits
  • Predefined sets: AgentDefault, ProxyChatCompletion, ReadOnly, Admin

2) Bit layout (v1)

BitGroupPermission
0MemoryMemoryRead
1MemoryMemoryWrite
2MemoryMemoryDelete
3MemoryMemoryBulkExport
4-7MemoryReserved
8DirectiveDirectiveRead
9DirectiveDirectiveWrite
10DirectiveDirectivePromote (MFA)
11DirectiveDirectiveRevoke (MFA)
12-15DirectiveReserved
16SessionSessionCreate
17SessionSessionRead
18SessionSessionTerminate
19-23SessionReserved
24TraceTraceRead
25TraceTraceExport
26-31TraceReserved
32AdminUserManage
33AdminBillingRead
34AdminBillingManage
35AdminOrgSettingsWrite
36AdminTokenCreate
37AdminTokenRevoke
38-39AdminReserved
40MarketplaceMarketplacePublish
41MarketplaceMarketplaceInstall
42-47MarketplaceReserved
48FederationFederationShare
49-55FederationReserved
56-63—Reserved (do not use in v1)

3) Phase 2 proxy minimum

For OpenAI-compatible chat completion through the proxy, a token must include:

MemoryRead | SessionCreate | SessionRead (permissions.ProxyChatCompletion).

4) Change policy

  • Bit positions are stable for ibex.auth.v1 and stored token rows.
  • New permissions consume reserved bits within a group or require ADR + migration if layout changes.
  • Bits 56-63 are reserved for future expansion.

Consequences

Positive

  • Single import path for all services checking permissions.
  • Tests verify non-overlap and subset relationships.

Negative

  • Renumbering bits requires data migration and a new ADR.

References

  • ARCHITECTURE.md — auth permission table
  • Milestone 1.1.5
  • ADR-0006 — ValidateTokenResponse.permissions

Was this page helpful?

Edit on GitHub

Last updated on

PreviousADR-0008: Security scanning and CI quality gatesNextADR-0010: Cryptography policy

On this page

  • Context
  • Decision
  • 1) Canonical implementation
  • 2) Bit layout (v1)
  • 3) Phase 2 proxy minimum
  • 4) Change policy
  • Consequences
  • Positive
  • Negative
  • References
0%