Warden: Composable Authorization Engine

Warden is a composable permissions and authorization engine for Go. It answers the fundamental question: "Is this subject allowed to perform this action on this resource?"

Warden combines three authorization models into a unified engine:

• RBAC — Role-Based Access Control with hierarchical roles, permissions, and assignments
• ABAC — Attribute-Based Access Control with policy conditions (IP ranges, time windows, custom attributes)
• ReBAC — Relationship-Based Access Control (Zanzibar-style) with relation tuples and graph traversal

Key Features

• Unified Check API — A single Check() call evaluates RBAC, ABAC, and ReBAC together
• Decision Priority — Explicit deny always wins over allow, which wins over default deny
• Type-Safe IDs — TypeID-based identifiers for all entities (wrol_, wprm_, wasn_, wpol_, wrel_)
• Multi-Tenant — Every operation is scoped to a tenant via context
• Pluggable Stores — Memory, PostgreSQL, and SQLite backends
• Plugin System — Lifecycle hooks for audit logging, metrics, and custom integrations
• Forge Integration — First-class Forge extension with DI, middleware, and OpenAPI routes
• Standalone Mode — Use without Forge as a plain Go library

Quick Example

eng, _ := warden.NewEngine(
    warden.WithStore(memoryStore),
)

result, _ := eng.Check(ctx, &warden.CheckRequest{
    Subject:      warden.Subject{Kind: "user", ID: "user-42"},
    Action:       "read",
    ResourceType: "document",
    ResourceID:   "doc-123",
})

if result.Allowed {
    // Access granted
}

Next Steps