refactor(docs): improve formatting and linking on architecture page

jp-ayyappan · jp-ayyappan · commit 8cbe46af7194 · 2025-08-25T17:53:55.000-04:00
This refactors the architecture page to improve readability and navigation. The layout is updated to a single column, the diagram is reoriented, and all components and NIST terms are now linked to their respective pages.
diff --git a/docs/architecture.mdx b/docs/architecture.mdx
@@ -4,71 +4,79 @@ sidebar_position: 3
 
 # Architecture
 
-## Overview
+OpenTDF is built on a flexible, service-oriented architecture designed for robust and fine-grained access control. The platform consists of four core components that work together to protect data throughout its lifecycle. This architecture aligns with the well-established [National Institute of Standards and Technology (NIST)](https://www.nist.gov) model for [Attribute-Based Access Control (ABAC)](https://csrc.nist.gov/projects/attribute-based-access-control), ensuring a standards-based and interoperable approach.
 
-The OpenTDF platform is made up of 4 main components:
+## Core Platform Components
 
-- **[Policy](components/policy/)** - Manages attribute-based access control (ABAC) policies, including namespaces, attributes, values, and their relationships
-- **[Authorization](components/authorization)** - Handles entitlement decisions based on policy evaluation and entity context
-- **[Key Access Server (KAS)](components/key_access)** - Manages cryptographic keys and provides secure key access for TDF encryption/decryption
-- **[Entity Resolution Service](components/entity_resolution)** - Interfaces with Identity Providers (IdPs) to resolve entity information for authorization decisions
-
-## High-Level Architecture
+The four main services of the OpenTDF platform are the Policy Service, Authorization Service, Entity Resolution Service, and the Key Access Server.
 
 ```mermaid
 graph TD
-    %% External Systems
-    CLIENT["🖥️ Client Application"] 
-    IDP["🔐 Identity Provider<br/>(Keycloak, Auth0, etc.)"] 
-    
-    %% OpenTDF Platform Components
+    CLIENT["🖥️ Client Application"]
+
     subgraph "OpenTDF Platform"
-        POLICY["📋 Policy Service<br/>• Attribute Management<br/>• Subject Mappings<br/>• Resource Mappings<br/>• Key Access Grants"]
-        
-        AUTHZ["⚖️ Authorization Service<br/>• Entitlement Decisions<br/>• Policy Evaluation<br/>• ABAC Enforcement"]
-        
-        ERS["👥 Entity Resolution<br/>• JWT Token Parsing<br/>• Entity Chain Creation<br/>• IdP Integration"]
-        
-        KAS["🔑 Key Access Server<br/>• Key Management<br/>• TDF Encrypt/Decrypt<br/>• Access Control"]
+        KAS["🛡️ Key Access Server<br/><i>(Implements NIST PEP)</i>"]
+        AUTHZ["🧠 Authorization Service<br/><i>(Implements NIST PDP)</i>"]
+        ERS["ℹ️ Entity Resolution Service<br/><i>(Implements NIST PIP)</i>"]
+        POLICY["🏢 Policy Service<br/><i>(Implements NIST PAP)</i>"]
+    end
+
+    subgraph "External Systems"
+        IDP["🔐 Identity Provider"]
+        ATTR_SOURCES["📚 Optional Attribute Sources<br/>(LDAP, SQL, etc.)"]
     end
+
+    CLIENT -->|1. Authenticates| IDP
+    CLIENT -->|2. Access Request| KAS
     
-    %% TDF Operations
-    TDF_ENC["📦 TDF Creation<br/>(Encrypt)"]
-    TDF_DEC["📂 TDF Access<br/>(Decrypt)"]
+    KAS -->|3. Decision Request| AUTHZ
     
-    %% Flow connections
-    CLIENT -->|"1. Authenticate"| IDP
-    CLIENT -->|"2. Create TDF"| TDF_ENC
-    CLIENT -->|"3. Access TDF"| TDF_DEC
+    AUTHZ -->|4. Get Policies| POLICY
+    AUTHZ -->|5. Get Attributes| ERS
     
-    TDF_ENC -->|"Get Policy & Keys"| POLICY
-    TDF_ENC -->|"Encrypt with Keys"| KAS
+    ERS -->|6. Optionally Query| ATTR_SOURCES
     
-    TDF_DEC -->|"Rewrap Request<br/>+ Access Token"| KAS
-    KAS -->|"Parse Token<br/>Extract Entities"| ERS
-    ERS -->|"Query Entity Data"| IDP
-    KAS -->|"Authorization Request<br/>+ Entity Chain"| AUTHZ
-    AUTHZ -->|"Get Policies<br/>& Mappings"| POLICY
-    AUTHZ -->|"Decision"| KAS
-    KAS -->|"Unwrapped Key<br/>(if authorized)"| TDF_DEC
+    AUTHZ -->|7. Decision| KAS
     
-    %% Styling
-    classDef platformService fill:#e1f5fe,stroke:#01579b,stroke-width:2px
+    KAS -->|8. Grant/Deny Access| CLIENT
+
+    classDef opentdfService fill:#e1f5fe,stroke:#01579b,stroke-width:2px
     classDef externalSystem fill:#f3e5f5,stroke:#4a148c,stroke-width:2px
-    classDef tdfOperation fill:#e8f5e8,stroke:#2e7d32,stroke-width:2px
     
-    class POLICY,AUTHZ,ERS,KAS platformService
-    class CLIENT,IDP externalSystem
-    class TDF_ENC,TDF_DEC tdfOperation
+    class POLICY,AUTHZ,ERS,KAS opentdfService
+    class ATTR_SOURCES,IDP,CLIENT externalSystem
+
+    click POLICY "components/policy/"
+    click AUTHZ "components/authorization"
+    click ERS "components/entity_resolution"
+    click KAS "components/key_access"
 ```
 
-## Component Interactions
+### [Policy Service](components/policy/)
+
+The Policy Service is where all access control policies are defined and managed. It provides the tools and APIs to create a rich set of policies that govern data access. This includes not only attributes and their values, but also the definitions of **actions, obligations, and key access mappings**.
+
+In the context of the NIST ABAC model, the Policy Service functions as the [Policy Administration Point (PAP)](https://csrc.nist.gov/glossary/term/policy_administration_point).
+
+### [Authorization Service](components/authorization)
+
+The Authorization Service is the core decision-making engine of the platform. It is responsible for evaluating the rich policies from the Policy Service against a set of attributes to render an authorization decision.
+
+In the context of the NIST ABAC model, it functions as the [Policy Decision Point (PDP)](https://csrc.nist.gov/glossary/term/policy_decision_point).
+
+### [Entity Resolution Service (ERS)](components/entity_resolution)
+
+The Entity Resolution Service is responsible for gathering the attributes about a subject needed for a decision. By default, it can derive attributes from claims in an authentication token. Optionally, it can be configured to connect to external attribute sources (LDAP, SQL) to "hydrate" the entity with more attributes.
+
+In the context of the NIST ABAC model, the ERS functions as the [Policy Information Point (PIP)](https://csrc.nist.gov/glossary/term/policy_information_point).
+
+### [Key Access Server (KAS)](components/key_access)
+
+The Key Access Server (KAS) enforces access control decisions. Its role is more extensive than a typical enforcement point:
 
-The OpenTDF platform components work together to provide secure, policy-based access to encrypted data:
+-   **Cryptographic Enforcement:** It enforces decisions by granting or withholding cryptographic keys for TDF decryption.
+-   **Encryption Enablement:** It manages key exchanges and enables various TDF encryption modes.
 
-1. **Policy Service** defines the rules and attributes that govern access
-2. **Entity Resolution Service** translates authentication tokens into entity representations
-3. **Authorization Service** evaluates policies against entity context to make access decisions
-4. **Key Access Server** enforces those decisions by providing or denying access to decryption keys
+In the context of the NIST ABAC model, the KAS functions as the [Policy Enforcement Point (PEP)](https://csrc.nist.gov/glossary/term/policy_enforcement_point).
 
-This architecture enables fine-grained, attribute-based access control while maintaining the security and integrity of encrypted data throughout its lifecycle.
+Furthermore, the OpenTDF platform is designed for flexibility. Developers can **build and integrate their own custom PEPs**. These custom enforcement points can leverage the platform's robust Authorization ([PDP](https://csrc.nist.grov/glossary/term/policy_decision_point)) and Policy ([PAP](https://csrc.nist.gov/glossary/term/policy_administration_point)) services while implementing enforcement logic tailored to specific applications. These custom PEPs can also optionally interface with the KAS to take advantage of its powerful cryptographic capabilities.
