Plystra Core

Self-hosted identity and authorization core for applications that need account-identity separation, scoped resource permissions, and append-only audit logs.

Quickstart View on GitHub

What Plystra v1.0 Covers

Explainable identity

Every authorization decision explains the User -> UserMember -> Member -> Space path that acted.

Scoped permissions

Permissions are evaluated against self, group, group_tree, and space scope rules. global is reserved and disabled in v1.0.

Resource Registry

Resource types, actions, mappings, risk levels, and audit defaults are stored as governed metadata.

Append-only audit

Allow and deny decisions write trace snapshots that remain readable after metadata changes.

Self-hosted Core

PostgreSQL, versioned migrations, Ent schema checks, Docker Compose, and production safety guards are part of the Core.

Protected API surface

Non-public Core APIs require the bootstrap admin token. Data Console and metrics are disabled by default.