A comprehensive Graph Security & Ontology Management platform designed to define, secure, and manage data hierarchies with fine-grained access control (ABAC/ReBAC).
Ontology Manager provides a visual interface and powerful backend engine for modeling complex data domains alongside robust security policies. It unifies:
- Ontology Design: defining classes, properties, and relationships.
- Identity & Access Management (IAM): Managing users, roles (ABAC), and relationship-based policies (ReBAC).
- Security Impact Analysis: Simulating policy changes and visualizing access graphs.
The project is built as a modern full-stack application:
- Frontend:
- Framework: React 18 (Vite)
- Routing: TanStack Router (File-based routing)
- Styling: TailwindCSS & Shadcn UI
- State/Query: TanStack Query
- Backend:
- Language: Rust
- Framework: Axum (High-performance async web framework)
- Database: PostgreSQL (via SQLx)
- Authentication: JWT-based stateless auth
- Class Management: Create and version ontology classes (e.g., Patient, Doctor, Appointment).
- Relationship Types: Define directed edges between classes (e.g., Treats, Owns, ReportsTo).
- Graph Explorer: Visual node-link diagrams to explore the data model.
- ABAC (Attribute-Based Access Control): Define roles with granular permissions (e.g.,
READ_SENSITIVEonPatientRecords). - ReBAC (Relationship-Based Access Control): Define policies like "Users can access documents owned by their Department".
- Impact Analysis: Simulate "What happens if I give Role X to User Y?" before applying changes.
- Role Designer: specialized UI for constructing role definitions.
- User Management: Lifecycle management for system users.
- Security Dashboard: Real-time metrics on policy denials, active sessions, and ontology growth.
- Docker (for PostgreSQL)
- Node.js 20+
- Rust (Stable)
-
Database: Start the PostgreSQL container.
docker-compose up -d db
-
Backend:
cd backend cargo runThe server will start on
http://localhost:5300. It will automatically run migrations and seed initial system data. -
Frontend:
cd frontend npm install npm run devAccess the UI at
http://localhost:5373.
βββ backend/ # Rust Axum API
β βββ src/features/ # Domain modules (abac, rebac, ontology, users)
β βββ migrations/ # SQLx database migrations
β βββ config/ # App configuration
βββ frontend/ # React Application
β βββ src/routes/ # Page routes (Tanstack Router)
β βββ src/features/ # Frontend feature modules
β βββ src/components/ # Shared UI components
βββ database/ # Docker database context
βββ docker-compose.yml # Service orchestration
Status: Security Sprint Phase 1 Complete (70% risk reduction achieved)
- Safe Defaults: All endpoints require authentication unless explicitly public.
- CSRF Protection: Double-submit cookie pattern implemented.
- Input Validation: Strictly typed schemas using Serde (Backend) and Zod (Frontend).
- JWT Security: RS256 with 90-day key rotation, refresh token rotation.
- MFA Support: TOTP-based two-factor authentication with backup codes.
- Password Reset: Secure flow with single-use tokens and session revocation.
Security Status:
- β Phase 1: Critical fixes complete (CVE-001, CVE-002, CVE-005)
- π‘ Phase 2: High-priority fixes in progress (rate limiting, user enumeration)
- β³ Phases 3-5: Detection & monitoring (planned)
See STATUS.md for security roadmap and docs/SECURITY_AUDIT.md for complete vulnerability analysis.
| Category | Tests | Coverage | Status |
|---|---|---|---|
| Backend Security | 19 | 100% | β |
| Backend Auth | 33 | 86% | β |
| Backend Password Reset | 11 | 100% | β |
| Backend MFA | 9 | 100% | β |
| Backend Projects | 18 | 100% | β |
| ReBAC Service | 15 | 85% | β³ |
| ABAC Service | 10 | 90% | β³ |
| Monitoring System | 61 | 90% | β |
| Frontend Unit | 18 | 90% | β |
| E2E Tests | 10 | Ready | β |
| TOTAL | 204 | ~90% | β |
Run all backend tests:
cd backend
export DATABASE_URL=postgres://app:app_password@localhost:5301/app_db
cargo testE2E tests cover auth flows, ontology roles, and monitoring.
Prerequisites: Backend running on http://localhost:5300, Frontend on http://localhost:5373.
cd frontend
npm run test:e2eTest Coverage:
e2e-auth.spec.ts: Register and login flowse2e-password-reset.spec.ts: Password reset flowe2e-mfa.spec.ts: MFA authenticatione2e-ontology-roles.spec.ts: ABAC/ReBAC role verificatione2e-monitoring.spec.ts: Monitoring dashboard
See STATUS.md for detailed test status and coverage analysis.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- STATUS.md: Current project status, roadmap, and metrics
- BACKLOG.md: Detailed task backlog and progress tracking
- CHANGELOG.md: Version history and release notes
- AGENTS.md: Development guidelines, coding standards, and commands
- docs/FEATURES_AUTH.md: Authentication & security features (JWT, MFA, password reset)
- docs/FEATURES_AUTHORIZATION.md: ABAC & ReBAC access control
- docs/FEATURES_ONTOLOGY.md: Ontology engine and management
- docs/FEATURES_MONITORING.md: Monitoring, analytics, and alerting
- docs/SECURITY_AUDIT.md: Complete security audit (12 CVEs identified)
- docs/SECURITY_TASKS.md: 110 security implementation tasks (5 phases)
- docs/SECURITY_QUICKSTART.md: Quick security fixes guide
- docs/PRD.md: Product requirements document
| Document | Purpose | Last Updated |
|---|---|---|
STATUS.md |
Project status & roadmap | 2026-01-18 |
BACKLOG.md |
Task tracking | 2026-01-18 |
docs/FEATURES_AUTH.md |
Authentication & security | 2026-01-18 |
docs/FEATURES_AUTHORIZATION.md |
ABAC/ReBAC | 2026-01-18 |
docs/FEATURES_ONTOLOGY.md |
Ontology engine | 2026-01-18 |
docs/FEATURES_MONITORING.md |
Monitoring system | 2026-01-18 |
docs/SECURITY_AUDIT.md |
Security vulnerability analysis | 2026-01-18 |
docs/SECURITY_TASKS.md |
Security implementation plan | 2026-01-18 |
Current Version: 1.0.1
Production Readiness: 95% (Security Phase 2-5 pending)
Test Coverage: 90% (204 tests)
Risk Level: π‘ LOW (70% reduction achieved)
Key Achievements (2026-01-18):
- β Technical MVP complete (42+ backend tests)
- β Password Reset & MFA integration (81 tests)
- β Security audit complete (12 CVEs, 37 security tests)
- β Monitoring system complete (10,619 lines, 24 endpoints)
- β Test coverage: 30 β 204 tests (+580%)
Next Priority: Security Sprint Phase 2 (rate limiting, user enumeration, immutable backups)
See STATUS.md for complete roadmap and metrics.