The foundations of categorified security.
Abstract
An enterprise data platform takes raw data, gives it meaning, lets people act on that meaning, and captures those actions back into the data. We decompose the skeleton of this machine into six categorical components connected by functors. The skeleton determines what the system can do; the data poured into it determines what it actually does. Security is a Grothendieck topology; lineage, a free category on the pipeline DAG; actions, algebras for an edit monad. Three adjunctions tie the whole thing together.
A small category OntSch where:
Ob(OntSch) = entity types {O₁, O₂, …, On} such as Person, Company, Product, Transaction.
Mor(OntSch) = relationship types L : Oi → Oj, each annotated with cardinality card(L) ∈ {1:1, 1:n, n:1, m:n}.
Each object carries a property schema via a functor S : OntSch → Sch, where Sch is the category of finite products of primitive types.
No data here, just the declaration of what kinds of things can exist and how they relate. A finite directed multigraph with type annotations.
A presheaf on the schema category:
Φ : OntSchop → Set
On objects: for each entity type O, the set Φ(O) is the collection of all actual instances of that type.
On morphisms: for each link type L : Oi → Oj, the map Φ(L) : Φ(Oj) → Φ(Oi) sends each target instance to the set of source instances linked to it. Functoriality makes multi-hop traversals compose correctly.
Your data, morphed into the skeleton: rows become set elements, foreign keys become linking functions, and one presheaf is one snapshot of the world as seen through the schema.
Sem : Data → [OntSchop, Set] pours raw data into the skeleton: rows become objects, columns become properties, foreign keys become link functions. Functoriality keeps things consistent when upstream data changes.
Because Φ lives in a presheaf category, every query, filter, join, and aggregation is already well-defined. The query algebra is derived from the structure, not designed by hand.
Ont = [OntSchop, Set]. Objects are all presheaves on OntSch (all possible data states). Morphisms are natural transformations (consistent transitions between states).
Ont is an elementary topos, giving:
Read more: The Presheaf Category
A monad 𝕋 = (T, η, μ) on Ont. The endofunctor T maps each presheaf Φ to the coproduct of all presheaves reachable by a finite sequence of primitive edits:
T(Φ) = ∐e ∈ Edit* e(Φ)
where Edit = {CreateObject, UpdateProperty, DeleteObject, AddLink, RemoveLink}. Unit η is the empty edit; multiplication μ flattens nested edit plans.
The Kleisli category Ont𝕋 has ontology instances as objects and composable action sequences as morphisms. An action type is a Kleisli morphism A : P → T(Φ) where P is the parameter space. Every operational workflow is a composed morphism in Ont𝕋.
Sem ⊣ WB : Ont → Data. The semantic functor and writeback functor form an adjunction closing the feedback loop: data → ontology → decisions → writeback → data. The unit and counit witness that no information is lost in the round trip.
A Grothendieck topology J on OntSch: for each object type O, the covering sieves J(O) are sets of "authorized access paths." A sheaf on (OntSch, J) is an ontology instance that respects access control. The secured state space is the sheaf topos:
Ontsec = Sh(OntSch, J)
The sheafification adjunction a ⊣ i : [OntSchop, Set] ⇄ Sh(OntSch, J) guarantees that security enforcement is:
All concrete mechanisms (projects, organizations, roles, markings, row/column filters) are encoded as topological data and compose automatically. Every query passes through a.
Read more: The Grothendieck Topology
The free category on the dependency DAG:
Lin = Path(G)
where G = (V, E) has all platform resources as vertices and dependency relations as edges. Objects are resources; morphisms are dependency paths; composition is path concatenation.
HomLin(r, r) = {idr} for all r. Circular dependencies are structurally impossible. Impact analysis (downstream) and root cause (upstream) are computable in O(|V| + |E|). A topological sort of G gives valid build ordering.
Read more: The Lineage Category
Sem ⊣ WB : Data ⇄ Ont. Index then write back: you recover the original data plus absorbed edits. Write back then re-index: you recover the ontology state. The adjunction is the coherence guarantee for the entire closed loop.
a ⊣ i : [OntSchop, Set] ⇄ Sh(OntSch, J). Sheafification enforces access control: compositional, idempotent, minimal. Every query passes through a.
Free ⊣ U : Graph ⇄ Cat. Lin = Free(G). Any consistent labeling of resource dependencies factors uniquely through Lin. Acyclicity, impact analysis, and root cause analysis are structural consequences.
| # | Component | Structure | Role |
|---|---|---|---|
| ① | Schema | Small category OntSch | Shape of the domain: what kinds of things and relationships exist |
| ② | Presheaf | Φ : OntSchop → Set | Current state, data morphed into the skeleton |
| ③ | Presheaf category | [OntSchop, Set] (topos) | State space, guarantees queries, filters, functions are well-defined |
| ④ | Edit monad | 𝕋 = (T, η, μ) on Ont | Composable transactional decisions; Kleisli category = workflows |
| ⑤ | Topology | J on OntSch | Security, propagated compositionally |
| ⑥ | Lineage | Path(G), free on DAG | Provenance, structural acyclicity |
| Joint | Adjunction | Governs |
|---|---|---|
| Feedback loop | Sem ⊣ WB | Data ↔ meaning. Coherence of the closed loop. |
| Security | a ⊣ i | Full state ↔ visible state. Compositional enforcement. |
| Lineage | Free ⊣ U | Dependency graph ↔ free category. Structural acyclicity. |
Define the schema; pour in the data. The skeleton generates the rest: queries, APIs, security propagation, action composition, provenance tracking. The category theory is the generator; the concrete system is a representation.