rbac typed grant (§6) + OGAR DO-arm provider (Türsteher) + Rung↔elevation calibration

[AdaWorldAPI]

Three of the five autoattended "Türsteher" bricks, all lance-graph-side.

1. contract::rbac — the typed granted value-tenant (keystone §6)

OpMask (verb bitmask) + ClassGrant { target_classid: u16, op_mask: u8 } +
grants_permit. The first-class, palette-native replacement for
project_role.permissions: text (I-K0 registry axiom: decisions key on
classid, not on text). Keys on the shared-concept low u16, so a grant
survives any app render-skin (hi u16). Re-exported from lance-graph-rbac.
The richer PermissionSpec (depth/predicate/action-name) is the finer stage
above the verb gate. 6 tests.

2. lance-graph-ogar::OgarActionProvider — the OGAR DO-arm provider

Per-class ActionDef manifests keyed by classid, with RBAC hardcoded into the
class (the Türsteher): auth_store (0x0B01) carries required_role on every
mutating action as a compile-time const; auth_zitadel (0x0B02) inherits via
effective_actions and overrides issue_token onto the Elixir low-code exec
path without widening the grant. Containment by structure — cognition above
cannot widen a class's DO surface.

Decoupled from ogar-vocab git (literal canon ids) so the module is
contract-only; verified 4/4 against the contract in isolation. The lib's own
test run is blocked by a pre-existing OGAR-main↔mirror codebook lag (OGAR
main lacks the 2026-06-23 auth mint the in-repo ogar_codebook mirror already
carries — parity::COUNT_FUSE); that is a cross-repo pin concern, not this
module.

3. planner elevation — ElevationLevel::from_rung(RungLevel)

The Rung-1-9 Flughöhe ↔ elevation L0-L5 calibration, monotone
non-decreasing (a cost floor of ambition). Csíkszentmihályi's Flow channel
(already in code: FlowState + flow_state_from + elevation::homeostasis)
tunes the spend around that floor — Boredom deepens, Anxiety caps. 1 test
(monotonicity + endpoints).

All new tests green; clippy/fmt clean on the touched crates (pre-existing
workspace warnings unchanged).

🤖 Generated with Claude Code

---

Generated by Claude Code

Summary by CodeRabbit

Release Notes

• New Features
  • Implemented a role-based access control system with granular permission enforcement across class operations.
  • Added an action provider for managing class-level operations with support for inheritance and overrides.
  • Enhanced operation execution level mapping based on complexity.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[coderabbitai]

Warning

Review limit reached

@AdaWorldAPI, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 20 minutes and 23 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses rolling per-developer review limits. Reviews become available again as older review attempts age out of the rolling limit window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: c7d212c6-21ed-4f44-8f09-d95f68ef03d1

📥 Commits

Reviewing files that changed from the base of the PR and between fca8674 and fe60a1b.

📒 Files selected for processing (1)

• crates/lance-graph-ogar/src/actions.rs

📝 Walkthrough

Walkthrough

Adds typed RBAC grant primitives (OpMask, ClassGrant, grants_permit) to lance-graph-contract and re-exports them from lance-graph-rbac. Introduces OgarActionProvider in lance-graph-ogar with hardcoded auth-class action manifests, Zitadel inheritance/override, and a class registry. Adds ElevationLevel::from_rung in lance-graph-planner mapping RungLevel variants to elevation floors.

Changes

Typed RBAC Grant Primitives

Layer / File(s)	Summary
OpMask, ClassGrant, grants_permit — implementation and re-export crates/lance-graph-contract/src/rbac.rs, crates/lance-graph-rbac/src/lib.rs	Defines OpMask verb bitmask with READ/WRITE/CREATE/DELETE/ACT/NONE constants, union/contains/permits methods; ClassGrant with low-u16 classid matching and verb checks; grants_permit slice helper with default-deny; unit tests for all three; and pub use re-export from lance-graph-rbac.

OGAR Action Provider

Layer / File(s)

Summary

Auth-class action manifests, registry, and OgarActionProvider crates/lance-graph-ogar/src/actions.rs, crates/lance-graph-ogar/src/lib.rs

Hardcodes AUTH_STORE_ACTIONS and AUTH_ZITADEL_ACTIONS compile-time tables with required_role, StateGuard, and exec targets; builds a classid→actions REGISTRY; implements OgarActionProvider with actions_for (empty fallback for unknown classes) and effective_actions (parent inheritance + override dispatch); re-exports from crate root; unit tests covering RBAC presence, Zitadel inheritance/override, unknown-class empty, and exec target correctness.

ElevationLevel::from_rung Mapping

Layer / File(s)	Summary
ElevationLevel::from_rung implementation and monotonicity test crates/lance-graph-planner/src/elevation/mod.rs	Imports RungLevel, implements from_rung mapping all variants to ElevationLevel floors (Surface/Shallow→Point through Recursive/Transcendent→Async); adds from_rung_is_monotone_and_spans_the_ladder test asserting non-decreasing order and key endpoint values.

Sequence Diagram(s)

sequenceDiagram
  rect rgba(100, 149, 237, 0.5)
    Note over Caller,OpMask: RBAC Grant Check
    Caller->>grants_permit: grants_permit(granted_slice, class, op)
    grants_permit->>ClassGrant: permits(class, op)
    ClassGrant->>ClassGrant: match low-u16 of ClassId vs target_classid
    ClassGrant->>OpMask: permits(op)
    OpMask-->>ClassGrant: verb bit match
    ClassGrant-->>grants_permit: bool
    grants_permit-->>Caller: any true → permit, else deny
  end

Loading

sequenceDiagram
  rect rgba(144, 238, 144, 0.5)
    Note over Client,effective_actions_fn: OGAR Effective Actions Resolution
    Client->>OgarActionProvider: effective_actions(classid)
    OgarActionProvider->>parent_of: parent_of(classid)
    parent_of-->>OgarActionProvider: Some(AUTH_STORE) or None
    OgarActionProvider->>effective_actions_fn: (parent_actions, own_actions)
    effective_actions_fn-->>OgarActionProvider: merged Vec<ActionDef> with overrides
    OgarActionProvider-->>Client: Vec<ActionDef>
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• AdaWorldAPI/lance-graph#598: Adds an authorize() kernel that calls ClassRbac::grant_permits, directly consuming the OpMask/ClassGrant/grants_permit typed grant surface introduced in this PR.

Poem

🐇 A mask of bits for READ and ACT,
A grant that checks by low-u16 fact,
The Ogar rabbit tends each class,
While Rung-to-Elevation maps en masse.
Deny by default, permit by match —
The warren's RBAC is quite the catch! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title specifically and accurately summarizes all three main changes: RBAC typed grant system (§6), OGAR DO-arm action provider (Türsteher), and rung-to-elevation calibration mapping.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@crates/lance-graph-ogar/src/actions.rs`:
- Around line 167-170: The effective_actions method returns inherited ActionDef
instances from parent classes with their object_class field unchanged (pointing
to the parent class). When these inherited actions are used for a child class,
the object_class mismatch causes ActionInvocation::commit to reject them before
RBAC is applied. Modify the effective_actions function to rebind the
object_class field of all returned ActionDef instances to match the requested
classid parameter, ensuring that inherited actions from parent classes are
properly tagged with the child class's identifier. This change should be applied
consistently both in the main effective_actions method (line 167-170) and
wherever else it is called (lines 215-235).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 9d7dc3e4-f7b5-40ab-aa28-162babf35a04

📥 Commits

Reviewing files that changed from the base of the PR and between d8a59a4 and fca8674.

📒 Files selected for processing (5)

• crates/lance-graph-contract/src/rbac.rs
• crates/lance-graph-ogar/src/actions.rs
• crates/lance-graph-ogar/src/lib.rs
• crates/lance-graph-planner/src/elevation/mod.rs
• crates/lance-graph-rbac/src/lib.rs