NTO/Auth + SGO/sgo: add Device, hasVault, isWorkspace -- Bardioc GFS platform dependencies#775
Open
boosc wants to merge 4 commits into
Open
NTO/Auth + SGO/sgo: add Device, hasVault, isWorkspace -- Bardioc GFS platform dependencies#775boosc wants to merge 4 commits into
boosc wants to merge 4 commits into
Conversation
…platform deps The Bardioc GFS PR almatoai#773 introduced the ogit.GFS: file/folder namespace but deliberately left out the auth-scope platform constructs that GFS depends on. This PR adds them as a separate, coordinated upstream change so the GFS file model is fully functional in OGIT. New entity (NTO/Auth/entities/): - Device: end-user device that authenticates against the platform. Distinct from the SGO ogit:Device (datacenter equipment). New verbs (NTO/Auth/verbs/): - usesDevice: Account to Device, many-to-many. - hasVault: Person to DataScope, Personal Vault anchor. New attributes (NTO/Auth/attributes/): - deviceType: fixed-set (mobile,desktop,web,hsm,hardware-wallet). - securityLevel: fixed-set (0,50,80,100). - fingerprint: cryptographic device fingerprint. - lastSeenAt, revokedAt: device-lifecycle timestamps. - isWorkspace: fixed-set boolean on Team for self-service workspaces. Modifications to existing entities: - Account.ttl: +1 allowed edge (usesDevice -> Device). - Team.ttl: +1 optional attribute (isWorkspace). - Person.ttl: +1 allowed edge (hasVault -> DataScope), plus the missing ogit.Auth: prefix declaration. All three fixed-set attributes carry ogit:validation-type "fixed" + ogit:validation-parameter per the convention used in NTO/Knowledge/attributes/archived.ttl and adopted across the ogit.GFS: namespace after Calvin's review on PR almatoai#773. Local validation: rdflib parse plus Python cross-reference check (all 448 classes, 269 verbs, 827 attributes resolve). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The first commit of this PR omitted the registeredAt attribute that the GFS concept Sec 6 lists alongside lastSeenAt and revokedAt as a Device lifecycle property. The omission was an oversight -- I had silently assumed the platform-standard ogit/_created would suffice. Concept doc is explicit: registeredAt is its own attribute. Added as an optional ogit.Auth: attribute on Device. Distinct from SGO/sgo/verbs/registeredAt.ttl which is a verb (Person-to-Address registration), not an attribute. The local name collision is namespace-resolved. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Cy on the phone (2026-06-01) gave six votes on the PR almatoai#775 working assumptions: 1. ogit.Auth:Device -- OK, keep as proposed. 2. usesDevice -- DROP. Reuse the existing ogit.Auth:uses verb (already in NTO/Auth/verbs/uses.ttl). Account.ttl edge updated to [ ogit.Auth:uses ogit.Auth:Device ]. 3. hasVault -- RENAME to ogit.Auth:owns. New verb file added at NTO/Auth/verbs/owns.ttl. Person.ttl edge updated to [ ogit.Auth:owns ogit.Auth:DataScope ]. 4. ogit.Auth:deviceType -- OK, keep as proposed. 5. ogit.Auth:revokedAt -- OK, keep as a specialised Auth- namespace timestamp on Device. 6. revokedAt -- ADDITIONALLY introduce a generic top-level ogit:revokedAt in SGO/sgo/attributes/. The previous ogit.GFS:revokedAt is removed and ShareLink.ttl now uses the top-level ogit:revokedAt. The Auth-namespace ogit.Auth:revokedAt coexists for Device-specific semantics. Net change: - deleted: NTO/Auth/verbs/usesDevice.ttl - deleted: NTO/Auth/verbs/hasVault.ttl - deleted: NTO/GFS/attributes/revokedAt.ttl - added: NTO/Auth/verbs/owns.ttl (ogit.Auth:owns) - added: SGO/sgo/attributes/revokedAt.ttl (ogit:revokedAt, root) - modified Account.ttl: usesDevice -> uses - modified Person.ttl: hasVault -> owns - modified ShareLink.ttl (NTO/GFS): ogit.GFS:revokedAt -> ogit:revokedAt - modified Auth/attributes/revokedAt.ttl: dcterms description updated to note coexistence with the new top-level ogit:revokedAt. Local validation: 448 classes, 268 verbs, 828 attrs; all references in the changed files resolve. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
cy303
approved these changes
Jun 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds the Auth-scope platform constructs that the
Bardioc Graph File System (merged in PR #773) depends on but
that did not belong inside the
ogit.GFS:namespace:ogit.Auth:Device-- end-user device vertexogit.Auth:usesDevice-- Account-to-Device verbogit.Auth:hasVault-- Person-to-DataScope anchor for Personal Vaultsogit.Auth:isWorkspace-- boolean marker onogit.Auth:Teamfor self-service workspaces(
deviceType,securityLevel,fingerprint,lastSeenAt,revokedAt)What is added
New entity
NTO/Auth/entities/Device.ttl-- end-user device thatauthenticates against the platform. Distinct from the SGO
ogit:Device, which models datacenter equipment (servers,sensors, PDUs). The Auth-context device is a smartphone,
laptop, browser session, HSM, or hardware wallet that an
ogit.Auth:Accountuses to access platform services.Mandatory:
name,deviceType,securityLevel. Optional:fingerprint,lastSeenAt,revokedAt. Thefingerprintisindexed.
The Bardioc GFS file model uses Device IDs in
ogit.GFS:restrictToDevicesand the Device'ssecurityLevelin
ogit.GFS:minDeviceSecurityLevelto gate per-file deviceaccess.
New verbs
NTO/Auth/verbs/usesDevice.ttl-- Account-to-Device,many-to-many. One Account may use several devices; one device
may be used by several Accounts (family tablet case).
NTO/Auth/verbs/hasVault.ttl-- Person-to-DataScope. Anchorsa Personal Vault to a Person so the relation survives Account
deactivation (employer change).
New attributes (all on
ogit.Auth:)deviceType-- fixed-set:mobile,desktop,web,hsm,hardware-wallet.securityLevel-- fixed-set:0,50,80,100(unverified /registered / managed / HSM-or-hardware-wallet).
fingerprint-- cryptographic device fingerprint (free-formstring; opaque, indexed at the Device vertex).
lastSeenAt-- ISO timestamp of most recent successfulauthentication from the device.
revokedAt-- ISO timestamp on revocation; explicitlydistinct from
ogit.GFS:revokedAt(which lives onogit.GFS:ShareLinkin the GFS namespace).isWorkspace-- fixed-set boolean:true,false. Marks aTeam as a self-service Workspace.
All three fixed-set attributes carry
ogit:validation-type "fixed"+ogit:validation-parameterper the convention used in
NTO/Knowledge/attributes/archived.ttland the GFS namespace post Calvin's PR #773 review.
Modifications to existing entities
NTO/Auth/entities/Account.ttl-- one new allowed edge:[ ogit.Auth:usesDevice ogit.Auth:Device ].NTO/Auth/entities/Team.ttl--isWorkspaceadded tooptional-attributes.
SGO/sgo/entities/Person.ttl-- one new allowed edge:[ ogit.Auth:hasVault ogit.Auth:DataScope ], plus themissing
@prefix ogit.Auth:declaration (the file alreadyreferences
ogit.Auth:*in the OSINT-extension block but hadno explicit prefix until now).
Decisions for the OGIT review
Decision 1 -- new vertex vs extending SGO:Device
A
ogit:Devicealready exists inSGO/sgo/entities/Device.ttl,authored by Peter Larem in 2015 with optional attributes
purchaseDate,moveProductionDate,endOfWarranty,powerConsumptionand allowed edges toTimeseries, sensors,PDUs and UPS units. That is unambiguously datacenter-hardware
modelling. Mixing end-user-device attributes (
securityLevel,fingerprint,lastSeenAt,revokedAt) onto the same classwould produce two disjoint populations of one vertex type
with very different mandatory-attribute expectations. The
choice here is therefore: separate
ogit.Auth:Devicein theAuth scope, with the doc strings making the distinction
explicit. Open for redirection if the OGIT review prefers a
single
ogit:Devicewith a discriminator attribute.Decision 2 -- location of hasVault
hasVaultis filed underNTO/Auth/verbs/because therelation is primarily auth-relevant: it anchors a Vault scope
(which is an
ogit.Auth:DataScope) to a Person. An alternativelocation would be
SGO/sgo/verbs/, with the prefixogit:hasVault, because the source side isogit:Person.Per-namespace-ownership preference welcome; the move is
mechanical.
Decision 3 -- coexistence of deviceType
ogit.Mobile:deviceTypealready exists (free-form string,authored by Kaushik Gondaliya in 2020, dcterms description
"type of device such as Mobile, FOB..."). The new
ogit.Auth:deviceTypeis a different concept: a fixed-setdiscriminator over the five auth-relevant device categories.
The two coexist in different namespaces because they answer
different questions. Open to renaming the Auth one if the
OGIT review wants stricter naming hygiene; this PR keeps both.
Decision 4 -- revokedAt across namespaces
ogit.Auth:revokedAtandogit.GFS:revokedAt(added inPR #773 for ShareLink) are different attributes that happen
to share a local name. Resolving by namespace is fine for
the validator; the PR description here flags the
coincidence in case the OGIT review prefers one to rename.
Diff stats
Team.ttl +1 optional attribute, Person.ttl +1 edge + missing
prefix declaration)
rdflib7.6.0reference in the changed files resolves to a defined OGIT
construct.
Companion concept
Bardioc GFS Overall Concept Section 6 (Devices) and Section 5
(Vault). Reviewer-friendly Word builds live in the Bardioc
Product Management Dropbox under
Bardioc GFS/Reviewable Deliverables/.