indykite-skills

Deploy and configure IndyKite Agent Gateway (IAG) in front of agent-to-agent (A2A) workflows. Use when wiring up A2A policy enforcement, modeling workflows in the IKG, or debugging IAG 401/403 responses.

Call the IndyKite MCP server to make AuthZEN authorization decisions and execute ContX IQ Knowledge Queries. Use when initializing an MCP session, calling its tools, configuring an MCP server, or debugging its two-layer auth.

Author and manage an IndyKite KBAC (Knowledge-Based Access Control) authorization policy - a single subject type, an actions list, a single resource type, and a Cypher condition over the IKG - through the Config API (`/configs/v1/authorization-policies` - create / read / list `?type=kbac` / update / delete, ETag-guarded). Use when the user wants to write, publish, inspect, change the status of, update, or delete a `2.0-kbac` policy - e.g. "write a policy letting a Person PROVISION a Server within budget and publish it", "list the active KBAC policies", "deactivate this policy". This authors the rule; it does NOT make decisions - for "can X do Y on Z?" use indykite-authzen-evaluation (single) or indykite-authzen-evaluations (batch), and to enumerate allowed actions/resources/subjects use indykite-authzen-search-action / -search-resource / -search-subject. This is KBAC, not ContX IQ - for CIQ read/write data policies use the indykite-ciq-* skills.

Make a single KBAC authorization decision via the IndyKite AuthZEN REST API (`POST /access/v1/evaluation`) - returns a boolean `decision` for one (subject, action, resource) triple, optionally with per-request `context.input_params`. Use for a single yes/no question - "can ada PROVISION gpu-node-7?", "is this user allowed to delete this document?", "gate this operation on a live check", or debugging why one decision is false. Not for many checks at once (use indykite-authzen-evaluations), not for enumerating which actions/resources/subjects are allowed (use indykite-authzen-search-action / -search-resource / -search-subject), and not for authoring the policy behind the decision (use indykite-authzen-kbac). For the same decision over MCP/JSON-RPC see indykite-mcp-server (`authzen_evaluate`).

Run many KBAC authorization decisions in one call via the IndyKite AuthZEN REST API (`POST /access/v1/evaluations`), with top-level subject/action/resource/context as defaults overridden per entry; returns one `decision` per entry, in order. Use when checking a known, fixed set of checks at once - one subject against many resources, one action across many subjects, or any mix of triples - e.g. "of these servers, which can grace provision?", "for each of these users, can they deploy gpu-node-7?". For a single check use indykite-authzen-evaluation; to enumerate ALL allowed actions/resources/subjects (open-ended, not a fixed list) use indykite-authzen-search-action / -search-resource / -search-subject; to author the policy use indykite-authzen-kbac.