SEA™ DSL pattern for authentication and authorization.
@namespace "com.example.auth"
@version "1.0.0"
// ============================================================================
// ENTITIES
// ============================================================================
Entity "User" in auth
Entity "Session" in auth
Entity "TokenStore" in auth
Entity "Role" in auth
Entity "Permission" in auth
// ============================================================================
// RESOURCES
// ============================================================================
Resource "Token" units in auth
Resource "Credential" units in auth
Resource "RefreshToken" units in auth
// ============================================================================
// ROLES
// ============================================================================
Role "Admin" in auth
Role "User" in auth
Role "Service" in auth
// ============================================================================
// FLOWS - Authentication
// ============================================================================
Flow "Login"
@cqrs { "kind": "command" }
@tx { "transactional": true }
@rationale "User authenticates with credentials"
from "User" to "Session" quantity 1
Flow "Logout"
@cqrs { "kind": "command" }
from "Session" to "User"
Flow "IssueToken"
@cqrs { "kind": "command" }
@tx { "transactional": true }
from "Session" to "TokenStore"
Flow "RefreshToken"
@cqrs { "kind": "command" }
@idempotency { "enabled": true, "key": "refreshTokenId" }
from "TokenStore" to "TokenStore"
// ============================================================================
// FLOWS - Events
// ============================================================================
Flow "UserLoggedIn"
@cqrs { "kind": "event" }
@outbox { "mode": "required" }
from "Session" to "EventBus"
Flow "TokenIssued"
@cqrs { "kind": "event" }
@outbox { "mode": "required" }
from "TokenStore" to "EventBus"
// ============================================================================
// FLOWS - Queries
// ============================================================================
Flow "ValidateToken"
@cqrs { "kind": "query" }
from "Session" to "TokenStore"
Flow "GetUserRoles"
@cqrs { "kind": "query" }
@read_model { "name": "UserRoleProjection" }
from "QueryService" to "Role"
// ============================================================================
// POLICIES
// ============================================================================
Policy single_active_session
per Constraint Obligation priority 10
@rationale "Each user can have only one active session"
as: forall u in entities where u.name = "User":
count(s in entities where s.name = "Session" and s.userId = u.id: 1) <= 1
Policy token_expiry_required
per Constraint Obligation priority 10
@rationale "All tokens must have expiration"
as: forall t in resources where t.name = "Token": (t.expiresAt != null)
Policy admin_requires_mfa
per Constraint Obligation priority 10
@rationale "Admin role requires multi-factor authentication"
as: forall u in entities where u.name = "User" and u.role = "Admin":
(u.mfaEnabled = true)
// ============================================================================
// METRICS
// ============================================================================
Metric "active_sessions" as:
count(s in entities where s.name = "Session" and s.active = true: 1)
@threshold 10000
@severity "warning"
Metric "failed_logins" as:
count(e in events over last 1 "hour" where e.name = "LoginFailed": 1)
@window 1 "hour"
@threshold 100
@severity "critical"
Last Updated: January 2026