console

An RBAC control plane that never answers with a bare yes/no — every decision carries a full evaluation trace.

GoReactTypeScriptRBAC live demo

What it is

The Meridian admin console: a Go API and React SPA for managing users, roles, assignments, and sessions across the platform. Its signature feature is that Check(subject, permission, scope) returns a Decision recording exactly which assignment, which role in the inheritance chain, and which grant or deny rule produced the verdict — including the near-misses (assignments skipped for scope mismatch, roles that matched nothing), because “why was this denied” is only answerable if those are visible.

Key design decisions

Dog-fooding

The console’s own API is authorized by the same engine it administers. POST /v1/roles checks roles:write at global scope through rbac.Check; a denied admin receives the full decision trace in the 403 body. There is no privileged backdoor — if the model can’t express an operation, the console can’t perform it. Every mutation attempt, allowed or denied, lands in the audit trail.

Security highlights

From the threat model: the primary adversary is the authenticated-but-malicious admin. Inheritance cycles are rejected at role-definition time so evaluation never has to detect them; *:read (wildcard resource, concrete action) is rejected as an over-grant invitation; the dev HS256 verifier is called out as dev-grade in the threat model itself — a shared symmetric key means anyone who can verify can mint — with the production keysmith-JWKS Ed25519 verifier behind the same one-method interface. JSON bodies are capped at 1 MiB with unknown fields rejected; every response carries nosniff/DENY/no-referrer/no-store headers.

Verified by

Code worth reading