Future enhancements: Template expansion, AVP descriptions, and scope optimization

[drernie]

Overview

Track deferred features from the hierarchical S3 schema implementation spec (specs/3-schema/02-cedar-impl.md).

These are intentionally deferred from the MVP to reduce scope and accelerate delivery of the core prefix matching implementation.

Deferred Features

1. Template Expansion in Compiler

Support template variables in Cedar policies that expand at compilation time:

resource == Raja::S3Bucket::"raja-poc-test-{{account}}-{{region}}"

Compiler expands to:

S3Bucket:raja-poc-test-712023778557-us-east-1:s3:ListBucket

Template syntax:

• {{account}} → AWS account ID
• {{region}} → AWS region
• {{env}} → Environment (dev, staging, prod)

Use case: Avoid hardcoding account/region in policies while maintaining exact matching (not prefix matching).

Priority: Medium - Nice to have, but prefix matching (raja-poc-test-) solves most use cases

2. AVP Description Extraction

Extract structured descriptions from Cedar policy comments and populate AVP policy descriptions:

// @description Grant test-user access to rajee-integration/ prefix
// @test tests/integration/test_rajee_envoy_bucket.py::test_get_object_with_valid_token
// @owner @ernest
permit(...)

Benefits:

• Link policies to tests for traceability
• Document policy purpose and ownership
• Enable automated test coverage validation

Priority: Low - Development hygiene, not functionality

3. Role-Based Principals

Extend schema to support role-based access:

// Today: Individual users
principal == Raja::User::"alice"

// Future: Role-based access
principal in Raja::Role::"data-engineers"

Priority: Medium - Needed for production use cases with groups/teams

4. Policy Validation in CI

Add CI checks to validate:

• All Cedar policies compile successfully
• Policies match schema (correct entity types, actions)
• No syntax errors or invalid references

Priority: Medium - Catch policy errors before deployment

5. Scope Optimization

Deduplicate or merge overlapping scopes:

• Multiple policies → same scope (deduplicate)
• Overlapping prefixes → merge into broader scope
• Optimize token size by reducing redundant scopes

Example:

Before: ["S3Object:bucket-/path1/:read", "S3Object:bucket-/path1/:write"]
After:  ["S3Object:bucket-/path1/:*"]  (if wildcard actions are supported)

Priority: Low - Optimization, not correctness

Acceptance Criteria

• Decide priority and timeline for each feature
• Create separate issues for high-priority items
• Update specs with implementation details when prioritized
• Close this meta-issue when all deferred features are addressed or explicitly rejected

Related

• Specs: specs/3-schema/01-bucket-object.md, specs/3-schema/02-cedar-impl.md
• Epic: Hierarchical S3 schema implementation