access-control-is-transitive-subset-gated

IN derived (depth 1)

Access control enforces transitive subset-based authorization: visibility requires the caller's tags to be a superset of the node's tags, derived nodes inherit the sorted union of all ancestor tags transitively, and enforcement occurs at read boundaries only — write operations are unrestricted.

Summary

The system controls who can see what using a tag-based permission model where you can only read a node if you hold all of its tags, not just some of them. Because derived nodes accumulate tags from everything they depend on, a conclusion that draws on restricted sources automatically becomes at least as restricted as its most restricted input. Notably, anyone can still create or modify nodes freely — the gate only blocks reading, so a user might write something they cannot later see.

Justifications

SL — Three access control properties (subset gate, transitive inheritance, read-boundary enforcement) form a complete authorization model

Antecedents (all must be IN):

  • access-tags-subset-gate — A tagged node is visible only when its `access_tags` are a subset of the caller's `visible_to` set; partial overlap (intersection without containment) is insufficient for access.
  • tag-inheritance-is-transitive-union — Derived nodes inherit the sorted union of all ancestor `access_tags`, propagating transitively through arbitrarily long justification chains including diamond dependencies.
  • access-control-enforced-at-read-not-write — Access control (`_is_visible`) is enforced at read/query boundaries (`show_node`, `explain_node`, `trace_assumptions`) via `PermissionError`, but write operations (`add_node`, `retract_node`, `assert_node`) do not check visibility.

Dependents

These beliefs depend on this one:

Details