Dieses Stellenangebot ist nicht mehr verfügbar
Über
### Overview
We are building a **deterministic policy knowledge base and execution engine** that compiles and runs **OPA (Rego → Wasm / IR "plan")** and **OpenFGA (model → deterministic decision graph / traversal plan)**. The system must produce **reproducible, replayable, auditable decisions** from immutable inputs and pinned versions. The work is heavy on systems correctness: canonicalization, idempotency, versioning, bounded evaluation, and cryptographic signing of decision receipts.
### What you will build
A "compile once, run many" runtime that:
* Compiles OPA policies to deterministic artifacts (Wasm and/or IR plan) and evaluates them with a controlled host surface.
* Compiles OpenFGA models to a deterministic execution plan (stable traversal order, memoization, bounded depth/breadth).
* Produces **decision receipts** (canonical input vector + model/policy versions + consistency mode + hashes + signature) enabling strict replay and drift detection.
* Integrates OPA (business/context rules) with OpenFGA (relationship facts + checks) via an explicit contract and batching strategy.
### Responsibilities
* **Deterministic compilation & execution**
* Implement OPA build pipeline (entrypoints, capabilities, Rego version pinning) and deterministic evaluation runner (preferably Wasm-based).
* Implement OpenFGA model compiler to a deterministic graph/plan and a Check/BatchCheck execution layer with stable traversal, memoization, and limits.
* **Determinism hardening**
* Define and enforce a "deterministic policy profile" (forbid or control time/random/ built-ins).
* Canonicalize unordered structures (sets/objects) at boundaries; define stable output contracts for enumerations.
* Ensure deterministic encodings (RFC 8785 JSON canonicalization and/or deterministic CBOR) and stable hashing/signing rules.
* **Auditability & replay**
* Design receipt schema: schema_version, policy_hash, bundle_hash, model_id, tuple snapshot hash / consistency token, canonical_input_hash, decision_hash, signature metadata (kid/alg).
* Implement golden-input storage, idempotent decision storage keyed by canonical envelope hash, and deterministic replay tooling.
* **OpenFGA integration discipline**
* Always pin authorization_model_id, define per-request consistency mode, and document caching correctness tradeoffs.
* Use batching and concurrency controls; protect against traversal DoS via strict bounds and backpressure.
* **Testing & verification**
* Build conformance tests across runtime targets (OPA interpreter vs Wasm vs custom plan executor where applicable).
* Add property-based tests for canonicalization, hash stability, and deterministic replay.
* Implement semantic diff tooling for policy/model changes (what changed, blast radius, safety checks).
* **Performance & ops**
* Benchmark hot paths (small transactions, canonicalization, signature, FGA checks) and tune for tail latency.
* Instrument with tracing/metrics; ensure decision logs are sufficient for forensic replay without leaking sensitive data.
### Required qualifications
* 8+ years building production systems where **correctness and determinism** matter (security, compliance, infra runtimes, compilers, databases, distributed systems).
* Strong proficiency in **Go and/or Rust** (Node/TypeScript acceptable for orchestration layers).
* Proven experience with:
* Deterministic serialization/canonicalization, hashing, and cryptographic signing (Ed25519 and/or deterministic ECDSA/RFC6979).
* Policy engines or declarative systems (OPA/Rego preferred) and/or authorization graph systems (Zanzibar/OpenFGA/ReBAC).
* Idempotency design, immutable versioning, replay, and audit-grade event/receipt pipelines.
* Strong testing culture: golden tests, fuzz/property tests, benchmarking, and regression gating in CI.
### Nice to have
* Implemented interpreters/IR evaluators, Wasm runtimes, or compilation pipelines (IR → executable plan).
* Experience with decision diagrams (BDD/OBDD/PDD) or formal equivalence testing for policy subsets.
* Experience building projections into graph stores (Neo4j/Neptune/RDF) with provenance and idempotent upserts.
* Familiarity with OPA bundles/signing, OPA capabilities, OpenFGA consistency modes, and traversal optimization.
### Tech stack (typical)
Go/Rust, OPA CLI + Wasm, OpenFGA (server or embedded), Postgres/MySQL for tuple store, gRPC/HTTP, canonical JSON/CBOR, SHA-256, Ed25519/RFC6979, CI/CD and containerized deployment.
Contract duration of 1 to 3 months. with 40 hours per week.
Mandatory skills: Python, HTML, JavaScript, Web Development, API
Sprachkenntnisse
- English
Hinweis für Nutzer
Dieses Stellenangebot wurde von einem unserer Partner veröffentlicht. Sie können das Originalangebot einsehen hier.