Skip to content

lease_revocation

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

lease_revocation

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.rs
main.rs
 
 
sql.rs
sql.rs
 
 

README.md

lease_revocation

Warehouse DB admin agent. Bootstrap reads pre-grant a lease per table; every write triggers a permission.request the operator must approve. A mid-flight lease.revoked invalidates the local cache so the next call re-prompts.

Before ARCP

Read-only DB roles are easy. Write roles end up as either "developer-fullaccess" (terrifying) or "ticket-driven" (slow). Mid-job revocation is unheard of: revoking a credential mid-flight breaks the running query.

With ARCP

authorize(&client, "SELECT count(*) FROM public.orders WHERE ...", &mut leases).await?;
authorize(&client, "UPDATE public.orders SET status='refunded' WHERE id=4812", &mut leases).await?;

Bootstrap leases live for an hour; writes are 5 minutes. The drain loop wires lease.revoked straight into the cache.

ARCP primitives

  • permission.request with resource: "table:..." — §15.4.
  • permission.grant carrying expires_at + lease_id — §15.5.
  • lease.revoked mid-flight, processed via a background drain — §15.5.
  • requested_lease_seconds distinct per op class.

File tour

  • main.rs — bootstrap pre-grants + the per-statement authorize loop.
  • sql.rs — sqlparser-equivalent classifier (read / write / ddl).

Variations

  • Add a lease.extended handler to refresh long-running queries.
  • Swap the cache for a Redis-backed shared map across replicas.
  • Reject writes outright on production schemas; only permit them in dev.