ReRAG-ReBAC Development Assistant

Expert assistant for developing a secure Retrieval-Augmented Generation (RAG) system with Relationship-Based Access Control (ReBAC) using Ory Keto, SQLite vector search, and LLM integration.

System Overview

This skill helps develop and maintain an enterprise-grade document management system combining:

**RAG** (Retrieval-Augmented Generation) with LLMs

**ReBAC** (Relationship-Based Access Control) via Ory Keto

**Vector Search** using SQLite with sqlite-vec

**Go 1.24** with comprehensive testing and mocking

Project Context

**Module:** `rerag-rbac-rag-llm`

**Package Structure:** All internal packages under `/internal/`

**External Services:**

Ollama (localhost:11434) - LLM and embeddings via Docker (`rerag-ollama`)

Ory Keto (localhost:4466/4467) - Permission management

Key Components

Architecture

**API Server** (`/internal/api/`) - RESTful endpoints with auth middleware

**Embeddings** (`/internal/embeddings/`) - Ollama with nomic-embed-text model

**LLM Client** (`/internal/llm/`) - Ollama with llama3.2:1b model (temperature=0)

**Permissions** (`/internal/permissions/`) - Ory Keto ReBAC integration

**Storage** (`/internal/storage/`) - SQLite vector store with adaptive recursive filtering

Vector Search Architecture

Uses `vec0` virtual table for native vector operations

Dual-table design: `documents` (metadata) + `vec_documents` (vectors)

Adaptive recursive search in `SearchSimilarWithFilter()`:

- Starts with topK × 2 candidates

- Doubles pool size each attempt (max 10 attempts)

- Returns best-effort results for sparse permission scenarios

**Location:** `internal/storage/sqlite_vector_store.go:217-277`

Permission Model (ReBAC)

Three test users:

**alice** - Can only access John Doe's documents

**bob** - Can only access ABC Corporation's documents

**peter** - Admin with access to all documents

Instructions

When working on this codebase:

1. Code Standards

Follow Go 1.24 conventions and standard project layout

Use `gofmt` and `goimports` for formatting

Define interfaces for all external dependencies

Use Ory Herodot for HTTP error handling

Document exported types and functions

Keep functions focused and testable

2. Testing Requirements

Create comprehensive unit tests with mocks for all new features

Follow patterns in `server_test.go` (655 lines reference)

Mock external dependencies (Ollama, Keto)

Test all three permission scenarios (alice, bob, peter)

Use table-driven tests for comprehensive coverage

Always test error paths and edge cases

Include E2E tests following `e2e_test.go` patterns

3. Common Development Commands

```bash

make test # Run all tests before committing

make lint # Check code quality

make format # Auto-format code

make dev # Start Keto and app in tmux

make setup # Setup permissions and load sample docs

make demo # Run interactive permission-aware demo

make reset # Full reset (clean + remove data)

make quick-start # One-liner: install + dev + demo

```

4. Adding New Features

**Step 1:** Design following existing patterns

Review similar implementations in `/internal/api/server.go`

Define interfaces for external dependencies

Plan permission scenarios (alice/bob/peter access)

**Step 2:** Implement with proper structure

Add handler to `/internal/api/server.go`

Create service interfaces in appropriate `/internal/` package

Use existing auth middleware patterns

Return proper HTTP status codes via Herodot

**Step 3:** Create comprehensive tests

```go

func TestNewFeature(t *testing.T) {

server, embedder, vectorStore, llmClient, permService := createTestServer()

// Setup mocks

embedder.SetEmbedding("query", []float32{0.1, 0.2, 0.3})

// Test alice (limited access)

req := createAuthenticatedRequest(method, path, body, "alice")

w := httptest.NewRecorder()

server.handler(w, req)

assert.Equal(t, expectedStatus, w.Code)

// Test bob (different limited access)

// Test peter (admin access)

// Test error cases

}

```

**Step 4:** Update documentation

Add inline comments for complex logic

Update README.md if adding public endpoints

Document permission requirements

5. API Endpoints Reference

`POST /documents` - Add document (no auth for demo)

`GET /documents` - List accessible documents (auth required)

`POST /query` - RAG query with permission filtering (auth required)

`GET /permissions` - View user permissions (auth required)

`GET /health` - Health check (no auth)

6. Working with Vector Search

When modifying storage layer:

Understand adaptive recursive search in `SearchSimilarWithFilter()`

Maintain dual-table design (documents + vec_documents)

Test with sparse permission scenarios

Verify sqlite-vec KNN query performance

Reference: `internal/storage/sqlite_vector_store.go` and `recursive_search_test.go`

7. Permission Testing Pattern

Always test with different user contexts:

```go

// Limited access - only John Doe docs

testUser := "alice"

// Limited access - only ABC Corp docs

testUser := "bob"

// Full admin access

testUser := "peter"

```

8. Important Constraints

**CGO Required**: sqlite-vec needs CGO_ENABLED=1 and C compiler

**Authentication**: Uses simple Bearer token (demo only, not production)

**Storage**: SQLite-based, data persists across restarts

**Models Required**:

- nomic-embed-text (embeddings)

- llama3.2:1b (LLM, temperature=0 for deterministic output)

9. Troubleshooting Common Issues

| Issue | Solution |

|-------|----------|

| Ollama connection refused | `docker start rerag-ollama` |

| Keto permission denied | `make start-keto` |

| Tests failing | `make deps` to update dependencies |

| Embedding errors | `docker exec rerag-ollama ollama pull nomic-embed-text` |

| LLM errors | `docker exec rerag-ollama ollama pull llama3.2:1b` |

10. Before Committing

1. Run `make test` - all tests must pass

2. Run `make lint` - fix any issues

3. Run `make format` - auto-format code

4. Verify permission scenarios work correctly

5. Update documentation if needed

11. CI/CD Notes

GitHub Actions uses:

Docker for Ollama (`ollama/ollama:latest` service container)

Cached Keto binary in `./.bin/keto` (v0.14.0)

Skip `apt-get update` for faster runs

~1-2 minutes for cached runs, ~3-4 minutes with model pulls

Key Files Reference

```

/internal/api/

server.go # Main API implementation

server_test.go # Unit tests (655 lines - reference pattern)

e2e_test.go # End-to-end tests (503 lines)

query_test.go # Query scenarios (309 lines)

/internal/permissions/

keto.go # Ory Keto client

service.go # Permission service interface

/internal/storage/

sqlite_vector_store.go # SQLite vector store + adaptive search

vector_store.go # Storage interface

recursive_search_test.go # Adaptive search tests

/keto/

config.yml # Keto server config

definitions.opl # Permission model

```

Usage Examples

**Example 1: Adding a new authenticated endpoint**

```

Add a DELETE /documents/{id} endpoint that:

1. Requires authentication

2. Checks if user has delete permission via Keto

3. Removes document from vector store

4. Returns 204 No Content on success

5. Includes comprehensive tests for alice, bob, and peter

```

**Example 2: Refactoring storage layer**

```

Refactor the vector search to improve performance for large document sets while maintaining the existing interface. Ensure:

1. Adaptive recursive search behavior is preserved

2. Permission filtering works correctly

3. All existing tests pass

4. Add performance benchmarks

```

**Example 3: Adding comprehensive tests**

```

Create comprehensive tests for the /query endpoint following server_test.go patterns. Include:

1. Unit tests with mocked embedder, LLM, and permission service

2. Permission scenarios for alice, bob, and peter

3. Error cases (invalid query, no permissions, LLM failure)

4. Table-driven tests for different query types

```

Resources

[Ory Keto Documentation](https://www.ory.sh/docs/keto)

[Ollama API Reference](https://github.com/ollama/ollama/blob/main/docs/api.md)

[sqlite-vec Documentation](https://github.com/asg017/sqlite-vec)

[Google Zanzibar Paper](https://research.google/pubs/pub48190/) - ReBAC foundation

ReRAG-ReBAC Development Assistant

ReRAG-ReBAC Development Assistant

System Overview

Project Context

Key Components

Architecture

Vector Search Architecture

Permission Model (ReBAC)

Instructions

1. Code Standards

2. Testing Requirements

3. Common Development Commands

4. Adding New Features

5. API Endpoints Reference

6. Working with Vector Search

7. Permission Testing Pattern

8. Important Constraints

9. Troubleshooting Common Issues

10. Before Committing

11. CI/CD Notes

Key Files Reference

Usage Examples

Resources

Reviews (0)