Merge pull request #5 from johnf/entity-refactor

entity refactor

Author: johnf

biome.jsonc

@@ -1,5 +1,5 @@
 {
-  "$schema": "https://biomejs.dev/schemas/2.2.2/schema.json",
+  "$schema": "https://biomejs.dev/schemas/2.2.4/schema.json",
   "vcs": {
     "enabled": true,
     "clientKind": "git",

docs/getting-started/authorization.md

@@ -0,0 +1,224 @@
+---
+sidebar_position: 4
+title: Authorization
+---
+
+# Authorization
+
+The RO-Crate API uses an `access` property on each entity which signals to the
+consumer that level of access the current user has to metadata and content.
+This is designed to allow consumers of the API like Oni UI to communicate what
+is accessible and redirect to enrollment URLs when access is restricted.
+
+## Access Property Structure
+
+Each entity in the API includes an `access` object with the following
+structure:
+
+```json
+{
+  "access": {
+    "metadata": true,
+    "content": false,
+    "metadataAuthorizationUrl": "https://example.com/apply?item=123",
+    "contentAuthorizationUrl": "https://example.com/apply?item=123"
+  }
+}
+```
+
+### Required Fields
+
+- **`metadata`** (boolean): Whether the current user has access to view the
+entity's metadata
+- **`content`** (boolean): Whether the current user has access to download or
+view the entity's content files
+
+### Optional Fields
+
+- **`metadataAuthorizationUrl`** (string): URL where users can request access
+to metadata when `metadata` is `false`
+- **`contentAuthorizationUrl`** (string): URL where users can request access to
+content when `content` is `false`
+
+## Authorization Rules
+
+### Validation Requirements
+
+When implementing the API, the following validation rules MUST be enforced:
+
+- If `metadata` is `false`, then `metadataAuthorizationUrl` MUST be provided
+- If `content` is `false`, then `contentAuthorizationUrl` MUST be provided
+- Entities that violate these rules should not be surfaced in API responses
+
+### Implementation Flexibility
+
+The authorization system provides maximum flexibility to implementors:
+
+- **Enrollment URL format**: Completely open to implementor design
+- **Authorization flow**: The process after visiting an enrollment URL is up to
+the implementor
+- **Access determination**: How the API determines user access is
+implementation-specific
+
+## Access Scenarios and Examples
+
+### 1. Full Access
+
+Both metadata and content are accessible to the current user:
+
+```json
+{
+  "id": "https://catalog.example.com/repository/PUBLIC/001",
+  "name": "Public Research Data",
+  "access": {
+    "metadata": true,
+    "content": true
+  }
+}
+```
+
+### 2. Metadata Only Access
+
+User can view metadata but must request access for content:
+
+```json
+{
+  "id": "https://catalog.example.com/repository/RESTRICTED/001",
+  "name": "Sensitive Audio Recordings",
+  "access": {
+    "metadata": true,
+    "content": false,
+    "contentAuthorizationUrl": "https://ethics.example.com/apply?collection=RESTRICTED-001"
+  }
+}
+```
+
+### 3. No Access
+
+User must request access for both metadata and content:
+
+```json
+{
+  "id": "https://catalog.example.com/repository/PRIVATE/001",
+  "name": "Confidential Collection",
+  "access": {
+    "metadata": false,
+    "content": false,
+    "metadataAuthorizationUrl": "https://portal.example.com/metadata-access?id=PRIVATE-001",
+    "contentAuthorizationUrl": "https://portal.example.com/content-access?id=PRIVATE-001"
+  }
+}
+
+```
+
+### 4. Content Only Access
+
+User can access content but not detailed metadata (rare scenario):
+
+```json
+{
+  "id": "https://catalog.example.com/repository/CLASSIFIED/001",
+  "name": "Research Materials",
+  "access": {
+    "metadata": false,
+    "content": true,
+    "metadataAuthorizationUrl": "https://clearance.example.com/request?item=CLASSIFIED-001"
+  }
+}
+```
+
+### 5. Invalid Configurations
+
+These examples show invalid configurations that should result in errors:
+
+```json
+// ERROR: content is false but no contentAuthorizationUrl provided
+{
+  "access": {
+    "metadata": true,
+    "content": false
+    // Missing contentAuthorizationUrl
+  }
+}
+
+// ERROR: metadata is false but no metadataAuthorizationUrl provided
+{
+  "access": {
+    "metadata": false,  // Missing metadataAuthorizationUrl
+    "content": true
+  }
+}
+```
+
+## Client Implementation Guidelines
+
+### Checking Access
+
+Before attempting to access entity metadata or content, clients should check
+the access property:
+
+```javascript
+function canAccessMetadata(entity) {
+  return entity.access.metadata === true;
+}
+
+function canAccessContent(entity) {
+  return entity.access.content === true;
+}
+
+function getEnrollmentUrl(entity, type) {
+  if (type === 'metadata' && !entity.access.metadata) {
+    return entity.access.metadataAuthorizationUrl;
+  }
+
+  if (type === 'content' && !entity.access.content) {
+    return entity.access.contentAuthorizationUrl;
+  }
+  return null;
+}
+```
+
+### Handling Restricted Access
+
+When access is denied, present the enrollment URL to users:
+
+```javascript
+if (!canAccessContent(entity)) {
+  const enrollmentUrl = getEnrollmentUrl(entity, 'content');
+  // Display message: "Access restricted. Apply for access at: {enrollmentUrl}"
+}
+```
+
+## Use Cases
+
+### Public Archives
+
+Most content publicly accessible with some restricted materials:
+
+- `metadata: true, content: true` - Open research data
+- `metadata: true, content: false` - Culturally sensitive materials requiring
+approval
+
+### Institutional Repositories
+
+Metadata discoverable but content restricted to authenticated users:
+
+- `metadata: true, content: false` - Internal research requiring institutional login
+
+### Sensitive Collections
+
+Both metadata and content require special authorization:
+
+- `metadata: false, content: false` - Classified or highly sensitive materials
+
+## Implementation Notes
+
+- Authorization URLs can point to any system: web forms, OAuth providers,
+institutional portals, etc.
+- The API does not prescribe the enrollment process - this is entirely up to
+the implementor
+- Access permissions may be user-specific, time-based, or dependent on other
+factors
+- Consider caching authorization decisions to improve performance
+- Ensure authorization URLs are accessible and provide clear instructions to
+users

docs/getting-started/extensions.md

@@ -0,0 +1,115 @@
+---
+sidebar_position: 5
+title: Extensions
+mdx.format: md
+---
+
+# API Extensions
+
+This guide explains how implementations can extend the RO-Crate API
+specification with additional properties.
+
+## Core vs Extension Properties
+
+The RO-Crate API specification defines mandatory fields that all
+implementations must provide. However, implementations are free to add optional
+extension properties directly at the root level of entity responses to meet
+their specific requirements.
+
+**Important**: Extension properties are implementation-specific and not
+required by the core API. Clients should be prepared to handle additional
+properties beyond those defined in the specification.
+
+## How Extensions Work
+
+Extension properties are added at the root level of entity objects, alongside
+the mandatory fields defined in the API specification. For example:
+
+```json
+{
+  "id": "https://catalog.paradisec.org.au/repository/LRB/001",
+  "name": "Recordings of West Alor languages",
+  "description": "A compilation of recordings featuring various West Alor languages",
+  "entityType": "http://pcdm.org/models#Collection",
+  "memberOf": "https://catalog.paradisec.org.au/repository/LRB",
+  "rootCollection": "https://catalog.paradisec.org.au/repository/LRB",
+  "metadataLicenseId": "https://license.example.com/metadata",
+  "contentLicenseId": "https://license.example.com/content",
+  "access": {
+    "metadata": true,
+    "content": false
+  },
+
+  // Extension properties below
+  "counts": {
+    "collections": 5,
+    "objects": 42,
+    "subCollections": 3,
+    "files": 150
+  },
+  "language": ["English", "Italian"],
+  "communicationMode": ["SpokenLanguage", "Song"],
+  "mediaType": ["audio/wav", "text/plain"],
+  "accessControl": "Public"
+}
+```
+
+## Example: Oni-UI Extensions
+
+The [oni-ui](https://github.com/Language-Research-Technology/oni-ui) implementation
+requires the following additional properties to be present in API responses:
+
+### Statistical Counts
+
+- **`counts`** (object): Statistical information about the entity's subtree:
+  - **`collections`** (integer): The total number of collections in the subtree
+  - **`objects`** (integer): The total number of objects in the subtree
+  - **`subCollections`** (integer): The number of nested sub-collections within
+  this entity
+  - **`files`** (integer): The number of individual files attached to or within
+  this entity's structure
+
+### Content Classification
+
+- **`language`** (array of strings): All languages contained in the sub-tree of
+entities. Useful for archives that store diverse linguistic data.
+  - Example: `["English", "Italian", "Mandarin"]`
+
+- **`communicationMode`** (array of strings): The modes of communication found
+in this sub-tree's data, such as speech, song, or sign.
+  - Example: `["SpokenLanguage", "Song", "SignLanguage"]`
+
+- **`mediaType`** (array of strings): Media types (MIME types) of files within
+the sub-tree.
+  - Example: `["audio/wav", "text/plain", "video/mp4"]`
+
+### Access Control
+
+- **`accessControl`** (string): The level of access control required to view or
+download this entity.
+  - Example: `"Public"`, `"Restricted"`, `"Private"`
+
+## Implementation Guidelines
+
+When adding extension properties to your API implementation:
+
+1. **Document your extensions**: Clearly document any additional properties
+   your implementation provides
+2. **Use descriptive names**: Choose property names that clearly indicate their
+   purpose
+3. **Consider namespacing**: For complex implementations, consider using
+   prefixed property names to avoid conflicts
+4. **Maintain consistency**: Use consistent data types and naming conventions
+   across your extensions
+5. **Version appropriately**: Consider how extension changes might affect
+   client compatibility
+
+## Other Implementations
+
+Different RO-Crate API implementations may define their own extension
+properties based on their specific use cases and requirements. Always consult
+the documentation for the specific implementation you're working with to
+understand what additional properties might be available.
+
+When building clients that work across multiple implementations, design them to
+gracefully handle unknown extension properties.