// maybe motif instead of thread? // Email Address validation example thread = start_thread(EmailAddressValidation, "b@g.com"); thread = advance_thread(AddressValidation, token, code); session = complete_thread(thread.id); // Sms validation example thread = start_thread(SmsAddressValidation, "12133447460"); thread = advance_thread(SmsAddressValidation, token, code); // New passphrase credential = create_credential(Passphrase, "b@g.com", "p4ssw0rd"); thread = start_thread(Passphrase, "b@g.com", "p4ssw0rd"); session = complete_thread(thread.id); // New Totp credential = create_credential(Totp); thread = start_thread(Totp, code); session = complete_thread(thread.id); // New OneTimeCodes credential = create_credential(OneTimeCode); thread = start_thread(OneTimeCodes, code); session = complete_thread(thread.id); // MFA example which requires totp after email thread = start_thread(Passphrase, "b@g.com", "p4ssw0rd"); Thread { Proof: { credential: [totp] } } thread = advance_thread(Totp, code); session = complete_thread(thread.id); // REST entities Identity Credential Address Motif Session // example POST /api/auth/email-validation motif = start_motif(EmailAddress, "b@g.com", None) --> an email has been sent with this motif.id + code and stuff user clicks on email GET /api/auth/email-validation/complete?motif_id=1234 session = complete_thread(motif_id) under the hood, it looks up the thread_id, sees that it belongs to an email validation, validates the email, creates a new identity if it's not already attached, creates a session and returns that session. GET /oidc/provider?state=123444 -- state validated by client POST /api/auth/oidc { data ... } motif = start_motif(Oidc, access_token, data) session = complete_motif(motif.id) ref = secd.write(User(user, 1), (doc, 3), "editor"); secd.attach_computed_property(ref, "property_name"); secd.check(User(user, 1), (doc, 3), "editor") secd.compute\_check(User(user, 1), (doc, 3), "editor", ["property", args...], ["property", args...]) e.g. secd.compute\_check("User(user, 1), (doc, 3), "editor", ["readable_row", 2134], ["property2", args...]) .....NO: A computed property should just be a domain things, and if any data is needed, it can be attached to the auth store for that identity!!!!!!!!!!!!!!!! ## Namespace stuff... use file/path/1 use file/path/2 namespace user { } namespace role { relation member { user | group#member } computed_property (t: timestamp, s: timestamp) { perform a computation here... } computed_property (s: string) { s.starts_with("b") } } namespace group { relation member { user | this.admin } relation admin { user } } namespace doc { relation owner { user } relation editor { user | this.owner } relation viewer { user | this.editor | this.parent#viewer | all(user) } relation auditor { editor - this.owner } relation parent { this.doc } } so, basically it's just: namespace N { relation R { N#R | N#R & N#R - N#R } } These are `.iam` files. Any `.iam` file can be specified as the main file, and then each use statement will be followed.