Federation — Climscore external read-only catalog

Persona path: alice (setup) → carol (analyst) · Catalogs: climscore (external, READ-ONLY) · Duration: ~15 min · Difficulty: star star

Status note: this demo expects the climscore external catalog provisioned by the Climscore demo perimeter. If the catalog is not yet live, use the placeholder values below and update once the perimeter is online.

This demo shows the read-only federation pattern used when a client makes their data available to AKKO for analysis but forbids any mutation. AKKO enforces the contract at the Query layer; write attempts surface a clear, actionable message.

What this proves

• A client catalog can be federated in a strict read-only mode in one form.
• The Query layer denies INSERT, UPDATE, DELETE, MERGE, TRUNCATE with a clean message.
• SELECT works normally; results can be published to a shared dashboard.
• The denial is logged in the audit trail with persona and resource.

Pre-requisites

• Demo URL: https://demo.akko-ai.com
• An external Climscore Postgres endpoint reachable by the AKKO cluster.
• 2 personas provisioned: alice, carol.

Step 1 — Alice federates the Climscore catalog in read-only mode

Sign in as alice. Navigate to Administration → Catalog Manager Pro.

Click Add catalog → Postgres (read-only).

Fill the form:

• Catalog name: climscore
• Host: postgres.climscore.akko-demo
• Port: 5432
• Database: climscore
• User: akko_reader
• Password: read from the Secret kubectl get secret -n akko climscore-reader -o jsonpath='{.data.password}' | base64 -d
• Mode: READ-ONLY
• Auto-deny SQL verbs: INSERT, UPDATE, DELETE, MERGE, TRUNCATE, ALTER, DROP, CREATE

Click Test connection. Expected: Connection OK, 1 schema discovered (public, 14 tables).

Click Save.

Screenshot: tests/e2e/playwright/artefacts/demos/federation-climscore/01-add-catalog.png

Step 2 — Carol confirms the catalog is visible and read-only

Sign out, sign in as carol. Navigate to Governance → Catalog explorer → climscore.

Expected: the catalog tile shows a small read-only badge. Click a table; the action menu Edit row and Add column are hidden.

Screenshot: tests/e2e/playwright/artefacts/demos/federation-climscore/02-readonly-badge.png

Step 3 — Carol runs a SELECT

Open DevHub → SQL editor. Run:

SELECT
    asset_id,
    asset_type,
    risk_score,
    last_assessed_at
FROM climscore.public.assets
WHERE risk_score > 0.7
ORDER BY risk_score DESC
LIMIT 50;

Expected: 50 rows returned in ~0.6 s.

| asset_id       | asset_type | risk_score | last_assessed_at    |
| AS-00000412    | building   | 0.97       | 2026-05-12 09:14:00 |
| AS-00000871    | parcel     | 0.95       | 2026-05-10 18:42:00 |
| ...            | ...        | ...        | ...                 |

Screenshot: tests/e2e/playwright/artefacts/demos/federation-climscore/03-select-result.png

Step 4 — Carol tries to write and gets denied cleanly

In the SQL editor, run:

UPDATE climscore.public.assets SET risk_score = 0 WHERE asset_id = 'AS-00000412';

Expected error toast (not a raw stack trace):

This catalog is read-only.
Allowed verbs: SELECT, SHOW, DESCRIBE, EXPLAIN.
Reason: Climscore catalog is registered as read-only for AKKO users.
Contact: data-team@akko-ai.com

Repeat with INSERT, DELETE, MERGE, TRUNCATE: same friendly denial.

Screenshot: tests/e2e/playwright/artefacts/demos/federation-climscore/04-write-denied.png

Step 5 — Carol promotes a shared dashboard

Run the SELECT again, click Promote to dashboard. ADEN proposes:

1. KPI — Assets above risk 0.7
2. KPI — Average risk score
3. Bar — Risk score distribution
4. Map — High-risk assets (if geometry present)
5. Table — Top 50

Click Share → Publish read-only with audience akko-analyst.

Screenshot: tests/e2e/playwright/artefacts/demos/federation-climscore/05-shared-dashboard.png

Step 6 — Alice inspects the audit trail

Sign in as alice. Navigate to Governance → Audit trail → catalog = climscore.

Expected events:

| ts                  | actor | action               | result | reason         |
| 2026-05-17 11:02:14 | alice | catalog.register     | ok     | read-only      |
| 2026-05-17 11:05:08 | carol | query.execute        | ok     | -              |
| 2026-05-17 11:05:42 | carol | query.execute        | denied | readonly_verb  |
| 2026-05-17 11:06:00 | carol | dashboard.publish    | ok     | -              |

Screenshot: tests/e2e/playwright/artefacts/demos/federation-climscore/06-audit.png

Cleanup

• Sign out.

What this proves

• A client read-only contract is enforced at the Query layer, not in the application.
• The user-facing message is actionable, not a stack trace.
• The audit trail captures denied writes for evidence.

Files in the repo

File	Role
helm/akko/charts/akko-catalog-manager/templates/secret-climscore.yaml	Climscore reader Secret template
opa/policies/catalog_readonly.rego	Rego policy that denies write verbs on read-only catalogs
trino/catalog/climscore.properties	Generated catalog file

Related

• Cloudera federation walkthrough
• Admin / Audit Trail