Skip to content

Add controlled service actor provisioning#143

Merged
abiorh-claw merged 25 commits into
mainfrom
codex/ws-auth-001-09b-controlled-service-provisioning
Jul 17, 2026
Merged

Add controlled service actor provisioning#143
abiorh-claw merged 25 commits into
mainfrom
codex/ws-auth-001-09b-controlled-service-provisioning

Conversation

@Abiorh001

@Abiorh001 Abiorh001 commented Jul 17, 2026

Copy link
Copy Markdown
Collaborator

WS-AUTH-001-09B - Controlled Service Actor Provisioning

Human-Approved Intent

The user explicitly started AUTH-09B after AUTH-09A merged and signed memory
stopped. The intent is to let an effective system Access Administrator bind one
opaque Identity Issuer subject to one fixed internal service ActorProfile while
keeping service verification, service admission, grants, assignments, and
feature-action activation out of scope.

Scope Control

This PR adds only the controlled provisioning route, server-owned issuer port,
atomic actor/link/evidence/idempotency transaction, migration 0024, required
lock-order repairs, and behavior/CI proof. It activates only
actor.service.provision. It adds no compatibility alias, provider fallback,
dynamic assignment, service grant, ART/REV/CON activation, or AUTH-09C behavior.

Evidence

  • broad actor/auth/authorization selection: 236 passed
  • actor classification and migration tooling: 109 passed
  • API/OpenAPI integration selection: 16 passed
  • external-review PostgreSQL lock/replay selection: 2 passed
  • provisioning concurrency/privacy selection: 1 passed
  • active-action audit parity repair: 1 passed
  • complete isolated PostgreSQL authorization file: 85 passed
  • new definition-route and SQL-failure behavior tests: 2 passed
  • final GitHub full suite: 1,244 passed at 84.98% global coverage
  • final actor subsystem coverage: 92.95%
  • final authorization subsystem coverage: 90.31% (1,600 statements, 155 misses)
  • final verifier boundary coverage: 94.19%

Acceptance Criteria Proof

  • catalogue is exactly 65 actions: 10 active and 55 planned
  • only actor.service.provision changes to active
  • creation atomically records one fixed service profile, one unverified exact
    issuer/subject link, allowed/success/invalidation evidence, and idempotency
    completion
  • replay reauthorizes the human caller and fails closed for deactivated profiles
    or revoked links
  • service tokens remain denied before actor lookup until AUTH-09E
  • responses, logs, and audit evidence do not expose subject, issuer, token,
    email, or raw reason
  • no grant, assignment, service admission, or feature action is created

Test Delta

Tests are additive and behavior-first. They cover independent-session races,
crossed grant revocation, injected SQL/evidence/idempotency failures, full
rollback and retry, privacy across responses/logs/audit, non-echoing 422 input,
stale ORM state in both lifecycle directions, inactive replay, migration
upgrade/downgrade/re-upgrade, exact active-action parity, definition-read
authorization/touch/commit ordering, typed resource binding, and stable
rollback-to-503 mapping. No test was removed, skipped, weakened, or rewritten
to accept broken behavior.

CI/Gate Integrity

GitHub Backend retains the repository-wide 78% floor and now separately enforces
90% for actors, authorization, and the verifier boundary. Agent Gates pin the
exact commands, scopes, thresholds, uniqueness, and ordering after full-suite
coverage and before the isolated real HTTP drill. Ruff, compileall, merge
intent, internal-review evidence, stale scans, Markdown links, 80 Agent Gates,
and diff integrity pass locally. GitHub Backend, Agent Gates, and CodeRabbit are
all green on the final PR head.

Reviewer Results

Track Result Blocking findings
Senior engineering PASS AFTER FIXES none
QA/test PASS AFTER FIXES none
Security/auth PASS AFTER FIXES none
Product/ops PASS none
Architecture PASS AFTER FIXES none
CI integrity PASS AFTER FIXES none
Docs PASS AFTER FIXES none
Reuse/dedup PASS AFTER FIXES none
Test delta PASS AFTER FIXES none

External Review

All four CodeRabbit findings are repaired: fresh locked ORM rows, subject
whitespace rejection without normalization, inactive replay denial, and exact
90% subsystem CI enforcement. The first Backend run's one stale audit active-set
expectation is also repaired. The next Backend run passed all 1,242 tests and
then exposed 89.75% at the new authorization gate. The final test-only repair
reaches 90.31% without changing production code or weakening CI. Final GitHub
proof is 1,244 tests at 84.98% global, 92.95% actors, 90.31% authorization, and
94.19% verifier coverage. Backend, Agent Gates, and CodeRabbit are green.

Merge Intent

.agent-loop/merge-intents/WS-AUTH-001-09B.json is the one immutable schema-v2
merge intent. It names AUTH-09C only as a same-initiative successor; 09C still
requires this PR to merge, signed automated memory, and a separate explicit
human start.

Human Review Focus

Review the server-owned issuer, strict fixed identity input, atomic evidence and
idempotency chain, nullable unverified service timestamps, profile-before-link
locking, stale-row refresh, pre-lookup service denial, and absence of grants or
feature activation.

Merge Ownership

Only the human may approve and merge PR #143. After merge, trusted-main
automation owns signed schema-v2 memory. The agent must stop and must not start
AUTH-09C automatically.

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

AUTH-09B adds controlled, idempotent service actor provisioning through a protected API route. It introduces unverified service-link persistence, canonical issuer handling, authorization integration, conflict/replay behavior, lock-order changes, migration 0024, extensive tests, and isolated API contract execution.

Changes

AUTH-09B contract and rollout state

Layer / File(s) Summary
Workstream contract and migration allocation
.agent-loop/..., docs/spec_authorization_service.md
AUTH-09B is marked active, actor.service.provision is the sole activated action, and migrations are reassigned through 0030.
Authorization and review evidence
.agent-loop/initiatives/.../chunks/*, .agent-loop/initiatives/.../reviews/*
Provisioning boundaries, lock ordering, evidence requirements, privacy rules, and deferred service admission are documented.
Operational rollout guidance
docs/operations_authorization_service.md
The runbook documents isolated verification, provisioning behavior, replay/conflict handling, and updated lock ordering.

Verification persistence and actor boundaries

Layer / File(s) Summary
Unverified service-link schema
backend/alembic/versions/0024_service_link_verification.py, backend/app/modules/actors/models.py
Service links may have nullable last_verified_at; human links remain verification-constrained, and downgrade refuses unverified service links.
Canonical issuer and subject handling
backend/app/interfaces/auth.py, backend/app/adapters/auth/*, backend/app/api/deps/auth.py, backend/app/modules/actors/service.py
Auth verifiers expose configured issuers, enforce UTF-8 bounds, and reject service subjects before actor resolution or timestamp mutation.
Actor locking and lookup
backend/app/modules/actors/repository.py, backend/app/modules/authorization/repository.py
Advisory keys distinguish service identities, new service-actor lookups are added, and actor profile locks precede identity-link locks.

Authorization and provisioning flow

Layer / File(s) Summary
Provisioning contracts and action activation
backend/app/modules/authorization/runtime.py, backend/app/modules/authorization/schemas.py, backend/app/modules/authorization/service_actor_schemas.py, backend/app/modules/authorization/catalogue.py
Strict request/response models, service identity digests, a provisioning resource context, and the active service-provision action are added.
Atomic provisioning orchestration
backend/app/modules/authorization/service_actor_service.py
Reservation, identity locking, deterministic conflicts, atomic profile/link creation, audit/invalidation evidence, replay reconstruction, and drift checks are implemented.
Protected API integration
backend/app/modules/authorization/router.py, backend/app/modules/authorization/kernel.py, backend/app/modules/authorization/service.py
POST /api/v1/service-actors authorizes the request, handles idempotency and conflicts, commits successful mutations, and maps failures to structured responses.

Behavioral validation and delivery wiring

Layer / File(s) Summary
Actor and migration validation
backend/tests/test_actors.py, backend/tests/test_alembic.py, backend/tests/test_tasks.py
Tests cover fail-closed actor resolution, lock domains, verification timestamps, migration downgrade guards, and updated identity-link fixtures.
Provisioning and authorization tests
backend/tests/test_auth.py, backend/tests/test_authorization.py, backend/tests/test_api_controls.py
Tests cover concurrency, replay, conflicts, rollback, authority races, privacy redaction, decision drift, OpenAPI responses, and action declarations.
Isolated E2E execution
backend/scripts/api_contract_e2e.py, backend/tests/test_api_contract_e2e.py, .github/workflows/backend.yml, scripts/test_agent_gates.py
The API drill bootstraps an administrator, provisions and replays a service actor, requires an isolated database, and is wired into workflow regression checks.

Estimated code review effort: 5 (Critical) | ~120 minutes

Sequence Diagram(s)

sequenceDiagram
  participant AccessAdministrator
  participant AuthorizationRouter
  participant AuthorizationKernel
  participant ServiceActorProvisioningService
  participant ActorRepository
  participant PostgreSQL
  AccessAdministrator->>AuthorizationRouter: POST /api/v1/service-actors
  AuthorizationRouter->>AuthorizationKernel: authorize actor.service.provision
  AuthorizationKernel-->>AuthorizationRouter: authorization decision
  AuthorizationRouter->>ServiceActorProvisioningService: reserve request
  ServiceActorProvisioningService->>ActorRepository: lock service identity and external identity
  ActorRepository->>PostgreSQL: create service profile and identity link
  PostgreSQL-->>ServiceActorProvisioningService: persisted provisioning facts
  ServiceActorProvisioningService-->>AuthorizationRouter: response or replay
  AuthorizationRouter-->>AccessAdministrator: provisioning result
Loading

Possibly related PRs

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 41.04% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check ⚠️ Warning The description is detailed, but it does not follow the required PR template and omits sections like Chunk, Commands Run, Allowed Files Changed, and the review tables. Rewrite the PR description to match the template headings and fill in the missing chunk metadata, scope/files, commands, evidence output, and reviewer checklist sections.
✅ Passed checks (3 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title is concise and accurately summarizes the main change: controlled service actor provisioning.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/ws-auth-001-09b-controlled-service-provisioning

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/backend.yml:
- Around line 95-102: Update the “API contract real API e2e” workflow job in
.github/workflows/backend.yml (lines 95-102) to add an ordered targeted coverage
report step enforcing --fail-under=90 for the actor/auth/authorization
subsystem. Update the corresponding regression assertions in
scripts/test_agent_gates.py (lines 4446-4460) to require that exact coverage
command, 90% threshold, subsystem scope, and ordering.

In `@backend/app/modules/authorization/repository.py`:
- Around line 59-72: Prevent stale cached authorization entities by appending
execution_options(populate_existing=True) to both locking queries in
lock_request_actor at backend/app/modules/authorization/repository.py lines
59-72, for ActorProfile and ActorIdentityLink. Apply the same option to both
locking queries in lock_eligible_human at
backend/app/modules/authorization/repository.py lines 150-174.

In `@backend/app/modules/authorization/service_actor_schemas.py`:
- Around line 16-19: Update _bounded_subject to reject subjects with leading or
trailing whitespace by validating that the original value equals its stripped
form, while preserving the existing non-empty and 200 UTF-8-byte limits.

In `@backend/tests/test_authorization.py`:
- Around line 2740-2807: Update replay_response to reject stored profiles and
links whose status is not active before rebuilding the idempotent response,
raising ServiceActorProvisioningUnavailable with the existing “actor is
unavailable” or “link is unavailable” messages. Extend the current_profile and
current_link test cases to include deactivated profiles and revoked links,
preserving the existing mismatch and missing-state coverage.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 8d818456-089e-4353-87ed-5ca64d53b881

📥 Commits

Reviewing files that changed from the base of the PR and between a947b86 and c13cafc.

📒 Files selected for processing (51)
  • .agent-loop/LOOP_STATE.md
  • .agent-loop/REVIEW_LOG.md
  • .agent-loop/WORK_QUEUE.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/CHUNK_MAP.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/DECISIONS.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/DISCOVERY.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/PLAN.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/RISKS.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/STATUS.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-08-bootstrap-admin-grants.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-09B-controlled-service-provisioning.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-10-project-role-grants.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-11-project-read-cutover.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-12-project-mutation-cutover.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-13-task-assignment-cutover.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-14-submission-checker-cutover.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-15-worker-authority-removal.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-09B-internal-review-evidence.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-09B-pr-trust-bundle.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-09B-preimplementation-plan-review.md
  • .agent-loop/merge-intents/WS-AUTH-001-09B.json
  • .github/workflows/backend.yml
  • backend/alembic/versions/0024_service_link_verification.py
  • backend/app/adapters/auth/dev.py
  • backend/app/adapters/auth/flow.py
  • backend/app/api/deps/auth.py
  • backend/app/core/auth.py
  • backend/app/interfaces/auth.py
  • backend/app/modules/actors/models.py
  • backend/app/modules/actors/repository.py
  • backend/app/modules/actors/service.py
  • backend/app/modules/authorization/catalogue.py
  • backend/app/modules/authorization/kernel.py
  • backend/app/modules/authorization/repository.py
  • backend/app/modules/authorization/router.py
  • backend/app/modules/authorization/runtime.py
  • backend/app/modules/authorization/schemas.py
  • backend/app/modules/authorization/service.py
  • backend/app/modules/authorization/service_actor_schemas.py
  • backend/app/modules/authorization/service_actor_service.py
  • backend/scripts/api_contract_e2e.py
  • backend/tests/test_actors.py
  • backend/tests/test_alembic.py
  • backend/tests/test_api_contract_e2e.py
  • backend/tests/test_api_controls.py
  • backend/tests/test_auth.py
  • backend/tests/test_authorization.py
  • backend/tests/test_tasks.py
  • docs/operations_authorization_service.md
  • docs/spec_authorization_service.md
  • scripts/test_agent_gates.py

Comment thread .github/workflows/backend.yml
Comment thread backend/app/modules/authorization/repository.py
Comment thread backend/app/modules/authorization/service_actor_schemas.py
Comment thread backend/tests/test_authorization.py
@abiorh-claw
abiorh-claw self-requested a review July 17, 2026 22:39
@abiorh-claw
abiorh-claw merged commit 053242b into main Jul 17, 2026
5 checks passed
github-actions Bot pushed a commit that referenced this pull request Jul 17, 2026
@abiorh-claw
abiorh-claw deleted the codex/ws-auth-001-09b-controlled-service-provisioning branch July 17, 2026 23:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants