feat: integrate scenario-specific relationships and attributes in schema files

assets/example-shapes/banking-system.yaml

@@ -5,7 +5,7 @@ schema: |-
 
         // Defines a relation where an account has an owner of type 'user'.
         relation owner @user
-        
+
         // Attribute to store the balance information of the account.
         attribute balance integer
 
@@ -53,4 +53,18 @@ scenarios:
           data:
             amount: 3000
         assertions:
-          withdraw: false
+          withdraw: false
+  - name: "Account 2 Owner Withdrawal with Scenario-Specific Attributes"
+    description: "Tests 'steven' can withdraw from 'account:2' using scenario-specific balance attribute."
+    attributes:
+      - account:2$balance|integer:6000
+    checks:
+      - entity: "account:2"
+        subject: "user:steven"
+        context:
+          tuples: []
+          attributes: []
+          data:
+            amount: 2000
+        assertions:
+          withdraw: true

assets/example-shapes/custom-roles.yaml

@@ -24,12 +24,9 @@ relationships:
     - dashboard:project-progress#view@role:admin#assignee
     - dashboard:project-progress#view@role:member#assignee
     - dashboard:project-progress#edit@role:admin#assignee
-    - task:website-design-review#view@role:admin#assignee
-    - task:website-design-review#view@role:member#assignee
-    - task:website-design-review#edit@role:admin#assignee
     - role:member#assignee@user:1
 
-attributes:    
+attributes:
 
 scenarios:
   - name: "User Dashboard View Permissions for project-progress"
@@ -41,6 +38,10 @@ scenarios:
           view: true
   - name: "Role-Based Permissions for 'website-design-review' Task"
     description: "Evaluates the access rights for 'website-design-review' task based on roles. The admin role should have both view and edit permissions, whereas the member role should only have view permission."
+    relationships:
+      - task:website-design-review#view@role:admin#assignee
+      - task:website-design-review#view@role:member#assignee
+      - task:website-design-review#edit@role:admin#assignee
     checks:
       - entity: "task:website-design-review"
         subject: "role:admin#assignee"
@@ -51,4 +52,4 @@ scenarios:
         subject: "role:member#assignee"
         assertions:
           view: true
-          edit: false
+          edit: false

assets/example-shapes/organizations-hierarchies.yaml

@@ -30,6 +30,7 @@ attributes:
 
 scenarios:
   - name: admin_access_test
+    description: "Verifies admin user can edit but not delete a repository they don't own."
     checks:
       - entity: repository:1234
         subject: user:5678
@@ -45,3 +46,13 @@ scenarios:
           delete: false
     entity_filters: []
     subject_filters: []
+  - name: owner_access_test
+    description: "Verifies repository owner has full permissions using scenario-specific relationships."
+    relationships:
+      - "repository:1234#owner@user:9999"
+    checks:
+      - entity: repository:1234
+        subject: user:9999
+        assertions:
+          edit: true
+          delete: true

assets/example-shapes/user-groups.yaml

@@ -43,8 +43,36 @@ schema: |-
     }
 
 relationships:
+   - "organization:1#admin@user:1"
    - "team:1#owner@user:1"
+   - "team:1#org@organization:1"
 
 attributes:
 
 scenarios:
+  - name: "Team Owner Permissions"
+    description: "Verifies that team owner (user:1) has edit, delete, and remove_user permissions on the team."
+    checks:
+      - entity: "team:1"
+        subject: "user:1"
+        assertions:
+          edit: true
+          delete: true
+          remove_user: true
+  - name: "Team Member Project Access"
+    description: "Verifies project access for a team member added via scenario-specific relationships."
+    relationships:
+      - "team:1#member@user:2"
+      - "project:1#team@team:1"
+      - "project:1#org@organization:1"
+    checks:
+      - entity: "project:1"
+        subject: "user:2"
+        assertions:
+          view: true
+          edit: true
+          delete: true
+      - entity: "project:1"
+        subject: "user:1"
+        assertions:
+          view: true

pkg/cmd/validate.go

@@ -233,6 +233,80 @@ func validate() func(cmd *cobra.Command, args []string) error {
 		for sn, scenario := range s.Scenarios {
 			color.Notice.Printf("%v.scenario: %s - %s\n", sn+1, scenario.Name, scenario.Description)
 
+			// Write scenario-specific relationships if any are defined
+			if len(scenario.Relationships) > 0 {
+				color.Notice.Println("  scenario relationships:")
+				for _, t := range scenario.Relationships {
+					var tup *base.Tuple
+					tup, err = tuple.Tuple(t)
+					if err != nil {
+						list.Add(err.Error())
+						color.Danger.Printf("    fail: %s\n", validationError(err.Error()))
+						continue
+					}
+
+					definition, _, err := dev.Container.SR.ReadEntityDefinition(ctx, "t1", tup.GetEntity().GetType(), version)
+					if err != nil {
+						list.Add(err.Error())
+						color.Danger.Printf("    fail: %s\n", validationError(err.Error()))
+						continue
+					}
+
+					err = serverValidation.ValidateTuple(definition, tup)
+					if err != nil {
+						list.Add(err.Error())
+						color.Danger.Printf("    fail: %s\n", validationError(err.Error()))
+						continue
+					}
+
+					_, err = dev.Container.DW.Write(ctx, "t1", database.NewTupleCollection(tup), database.NewAttributeCollection())
+					if err != nil {
+						list.Add(fmt.Sprintf("%s failed %s", t, err.Error()))
+						color.Danger.Println(fmt.Sprintf("    fail: %s failed %s", t, validationError(err.Error())))
+						continue
+					}
+
+					color.Success.Println(fmt.Sprintf("    success: %s ", t))
+				}
+			}
+
+			// Write scenario-specific attributes if any are defined
+			if len(scenario.Attributes) > 0 {
+				color.Notice.Println("  scenario attributes:")
+				for _, a := range scenario.Attributes {
+					var attr *base.Attribute
+					attr, err = attribute.Attribute(a)
+					if err != nil {
+						list.Add(err.Error())
+						color.Danger.Printf("    fail: %s\n", validationError(err.Error()))
+						continue
+					}
+
+					definition, _, err := dev.Container.SR.ReadEntityDefinition(ctx, "t1", attr.GetEntity().GetType(), version)
+					if err != nil {
+						list.Add(err.Error())
+						color.Danger.Printf("    fail: %s\n", validationError(err.Error()))
+						continue
+					}
+
+					err = serverValidation.ValidateAttribute(definition, attr)
+					if err != nil {
+						list.Add(err.Error())
+						color.Danger.Printf("    fail: %s\n", validationError(err.Error()))
+						continue
+					}
+
+					_, err = dev.Container.DW.Write(ctx, "t1", database.NewTupleCollection(), database.NewAttributeCollection(attr))
+					if err != nil {
+						list.Add(fmt.Sprintf("%s failed %s", a, err.Error()))
+						color.Danger.Println(fmt.Sprintf("    fail: %s failed %s", a, validationError(err.Error())))
+						continue
+					}
+
+					color.Success.Println(fmt.Sprintf("    success: %s ", a))
+				}
+			}
+
 			// Start log output for checks
 			color.Notice.Println("  checks:")