# CropLogic Authorization Service

This service runs OPA as a standalone authorization engine for `backend/access_control`.

## Run standalone

```bash
docker compose -f accsess/docker-compose.yaml up -d
```

## Decision endpoints

- Single feature: `POST /v1/data/croplogic/authz/decision`
- Batch features: `POST /v1/data/croplogic/authz/batch_decision`

The backend uses the batch endpoint and sends the farm context only. Users are treated as `farmer` by default inside the service, and features are allowed unless there is a feature-specific rule in `policies/authz.rego`.

## Example request

```bash
curl -s http://127.0.0.1:8181/v1/data/croplogic/authz/batch_decision \
  -H 'Content-Type: application/json' \
  -d @- <<'EOF'
{
  "input": {
    "resource": {
      "farm_id": "farm-1001",
      "subscription_plan_codes": ["gold"],
      "farm_types": ["greenhouse"],
      "crop_types": ["tomato"],
      "cultivation_types": ["soil"],
      "sensor_codes": ["sensor-7-in-1"],
      "power_sensor": ["main-power"],
      "customization": ["default-layout"]
    },
    "features": ["sensor-7-in-1"],
    "action": "view"
  }
}
EOF
```

## Add new rules in code

Define feature-specific checks directly in `policies/authz.rego`.

- If a feature has no rule, every action is allowed.
- If a feature rule exists, its conditions are evaluated and any failing condition denies access.
- `sensor-7-in-1` currently requires `resource.sensor_codes` to include `sensor-7-in-1`.