Add controlled service actor provisioning#143
Conversation
…-controlled-service-provisioning
…-controlled-service-provisioning # Conflicts: # .agent-loop/REVIEW_LOG.md
📝 WalkthroughWalkthroughAUTH-09B adds controlled, idempotent service actor provisioning through a protected API route. It introduces unverified service-link persistence, canonical issuer handling, authorization integration, conflict/replay behavior, lock-order changes, migration 0024, extensive tests, and isolated API contract execution. ChangesAUTH-09B contract and rollout state
Verification persistence and actor boundaries
Authorization and provisioning flow
Behavioral validation and delivery wiring
Estimated code review effort: 5 (Critical) | ~120 minutes Sequence Diagram(s)sequenceDiagram
participant AccessAdministrator
participant AuthorizationRouter
participant AuthorizationKernel
participant ServiceActorProvisioningService
participant ActorRepository
participant PostgreSQL
AccessAdministrator->>AuthorizationRouter: POST /api/v1/service-actors
AuthorizationRouter->>AuthorizationKernel: authorize actor.service.provision
AuthorizationKernel-->>AuthorizationRouter: authorization decision
AuthorizationRouter->>ServiceActorProvisioningService: reserve request
ServiceActorProvisioningService->>ActorRepository: lock service identity and external identity
ActorRepository->>PostgreSQL: create service profile and identity link
PostgreSQL-->>ServiceActorProvisioningService: persisted provisioning facts
ServiceActorProvisioningService-->>AuthorizationRouter: response or replay
AuthorizationRouter-->>AccessAdministrator: provisioning result
Possibly related PRs
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/backend.yml:
- Around line 95-102: Update the “API contract real API e2e” workflow job in
.github/workflows/backend.yml (lines 95-102) to add an ordered targeted coverage
report step enforcing --fail-under=90 for the actor/auth/authorization
subsystem. Update the corresponding regression assertions in
scripts/test_agent_gates.py (lines 4446-4460) to require that exact coverage
command, 90% threshold, subsystem scope, and ordering.
In `@backend/app/modules/authorization/repository.py`:
- Around line 59-72: Prevent stale cached authorization entities by appending
execution_options(populate_existing=True) to both locking queries in
lock_request_actor at backend/app/modules/authorization/repository.py lines
59-72, for ActorProfile and ActorIdentityLink. Apply the same option to both
locking queries in lock_eligible_human at
backend/app/modules/authorization/repository.py lines 150-174.
In `@backend/app/modules/authorization/service_actor_schemas.py`:
- Around line 16-19: Update _bounded_subject to reject subjects with leading or
trailing whitespace by validating that the original value equals its stripped
form, while preserving the existing non-empty and 200 UTF-8-byte limits.
In `@backend/tests/test_authorization.py`:
- Around line 2740-2807: Update replay_response to reject stored profiles and
links whose status is not active before rebuilding the idempotent response,
raising ServiceActorProvisioningUnavailable with the existing “actor is
unavailable” or “link is unavailable” messages. Extend the current_profile and
current_link test cases to include deactivated profiles and revoked links,
preserving the existing mismatch and missing-state coverage.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 8d818456-089e-4353-87ed-5ca64d53b881
📒 Files selected for processing (51)
.agent-loop/LOOP_STATE.md.agent-loop/REVIEW_LOG.md.agent-loop/WORK_QUEUE.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/CHUNK_MAP.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/DECISIONS.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/DISCOVERY.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/PLAN.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/RISKS.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/STATUS.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-08-bootstrap-admin-grants.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-09B-controlled-service-provisioning.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-10-project-role-grants.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-11-project-read-cutover.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-12-project-mutation-cutover.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-13-task-assignment-cutover.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-14-submission-checker-cutover.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-15-worker-authority-removal.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-09B-internal-review-evidence.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-09B-pr-trust-bundle.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-09B-preimplementation-plan-review.md.agent-loop/merge-intents/WS-AUTH-001-09B.json.github/workflows/backend.ymlbackend/alembic/versions/0024_service_link_verification.pybackend/app/adapters/auth/dev.pybackend/app/adapters/auth/flow.pybackend/app/api/deps/auth.pybackend/app/core/auth.pybackend/app/interfaces/auth.pybackend/app/modules/actors/models.pybackend/app/modules/actors/repository.pybackend/app/modules/actors/service.pybackend/app/modules/authorization/catalogue.pybackend/app/modules/authorization/kernel.pybackend/app/modules/authorization/repository.pybackend/app/modules/authorization/router.pybackend/app/modules/authorization/runtime.pybackend/app/modules/authorization/schemas.pybackend/app/modules/authorization/service.pybackend/app/modules/authorization/service_actor_schemas.pybackend/app/modules/authorization/service_actor_service.pybackend/scripts/api_contract_e2e.pybackend/tests/test_actors.pybackend/tests/test_alembic.pybackend/tests/test_api_contract_e2e.pybackend/tests/test_api_controls.pybackend/tests/test_auth.pybackend/tests/test_authorization.pybackend/tests/test_tasks.pydocs/operations_authorization_service.mddocs/spec_authorization_service.mdscripts/test_agent_gates.py
WS-AUTH-001-09B - Controlled Service Actor Provisioning
Human-Approved Intent
The user explicitly started AUTH-09B after AUTH-09A merged and signed memory
stopped. The intent is to let an effective system Access Administrator bind one
opaque Identity Issuer subject to one fixed internal service ActorProfile while
keeping service verification, service admission, grants, assignments, and
feature-action activation out of scope.
Scope Control
This PR adds only the controlled provisioning route, server-owned issuer port,
atomic actor/link/evidence/idempotency transaction, migration
0024, requiredlock-order repairs, and behavior/CI proof. It activates only
actor.service.provision. It adds no compatibility alias, provider fallback,dynamic assignment, service grant, ART/REV/CON activation, or AUTH-09C behavior.
Evidence
Acceptance Criteria Proof
actor.service.provisionchanges to activeissuer/subject link, allowed/success/invalidation evidence, and idempotency
completion
or revoked links
email, or raw reason
Test Delta
Tests are additive and behavior-first. They cover independent-session races,
crossed grant revocation, injected SQL/evidence/idempotency failures, full
rollback and retry, privacy across responses/logs/audit, non-echoing 422 input,
stale ORM state in both lifecycle directions, inactive replay, migration
upgrade/downgrade/re-upgrade, exact active-action parity, definition-read
authorization/touch/commit ordering, typed resource binding, and stable
rollback-to-503 mapping. No test was removed, skipped, weakened, or rewritten
to accept broken behavior.
CI/Gate Integrity
GitHub Backend retains the repository-wide 78% floor and now separately enforces
90% for actors, authorization, and the verifier boundary. Agent Gates pin the
exact commands, scopes, thresholds, uniqueness, and ordering after full-suite
coverage and before the isolated real HTTP drill. Ruff, compileall, merge
intent, internal-review evidence, stale scans, Markdown links, 80 Agent Gates,
and diff integrity pass locally. GitHub Backend, Agent Gates, and CodeRabbit are
all green on the final PR head.
Reviewer Results
External Review
All four CodeRabbit findings are repaired: fresh locked ORM rows, subject
whitespace rejection without normalization, inactive replay denial, and exact
90% subsystem CI enforcement. The first Backend run's one stale audit active-set
expectation is also repaired. The next Backend run passed all 1,242 tests and
then exposed 89.75% at the new authorization gate. The final test-only repair
reaches 90.31% without changing production code or weakening CI. Final GitHub
proof is 1,244 tests at 84.98% global, 92.95% actors, 90.31% authorization, and
94.19% verifier coverage. Backend, Agent Gates, and CodeRabbit are green.
Merge Intent
.agent-loop/merge-intents/WS-AUTH-001-09B.jsonis the one immutable schema-v2merge intent. It names AUTH-09C only as a same-initiative successor; 09C still
requires this PR to merge, signed automated memory, and a separate explicit
human start.
Human Review Focus
Review the server-owned issuer, strict fixed identity input, atomic evidence and
idempotency chain, nullable unverified service timestamps, profile-before-link
locking, stale-row refresh, pre-lookup service denial, and absence of grants or
feature activation.
Merge Ownership
Only the human may approve and merge PR #143. After merge, trusted-main
automation owns signed schema-v2 memory. The agent must stop and must not start
AUTH-09C automatically.