Skip to content

feat(auth): add org_id to APIKey and return AuthContext from require_api_key#16

Merged
Shaivpidadi merged 9 commits into
devfrom
feat/dl-1-apikey-org-id
Apr 20, 2026
Merged

feat(auth): add org_id to APIKey and return AuthContext from require_api_key#16
Shaivpidadi merged 9 commits into
devfrom
feat/dl-1-apikey-org-id

Conversation

@Shaivpidadi

Copy link
Copy Markdown
Member

Summary

  • Added nullable org_id column to the APIKey model so precheck decisions can be routed to the correct org.
  • require_api_key now returns AuthContext(raw_key, org_id) (frozen dataclass) instead of a bare key string.
  • Updated all Depends(require_api_key) call sites in api.py (/v1/precheck, /v1/postcheck, /v1/keys/rotate, /v1/keys/revoke) to consume the new type. Rotate/revoke also fixed to use key_hash instead of a non-existent key column.
  • Added tests/test_auth_org_id.py covering: org_id propagation on valid key, None when column is null, per-org isolation, and 401 rejection for unknown/inactive/expired/missing keys.

GovernsAI Tracker issue

GOV-11 (DL-1)

Reviewers

Tagging Nexus (code quality) and Cipher (security/arch) — both approvals required.

Test plan

  • pytest tests/test_auth_org_id.py — 8/8 pass
  • Downstream: DL-3 (per-org webhook routing) can now read auth.org_id in precheck/postcheck handlers
  • Platform-side key sync (DL-2) will populate the new org_id column

Notes

  • The conftest fixtures in tests/test_auth_enforcement.py were already inconsistent with the hashed-key model (uses APIKey(key=...) — pre-existing). Not in scope for this PR; flagged for follow-up.

…key-hashing

fix: chdir to repo root on startup (policy file resolution)
…key-hashing

fix: include policy.tool_access.yaml in Docker image
…quire_api_key

- storage.py: add nullable org_id column to api_keys so decisions can be routed per-org
- auth.py: require_api_key now returns AuthContext(raw_key, org_id) instead of a bare key string
- api.py: update /v1/precheck, /v1/postcheck, /v1/keys/rotate, /v1/keys/revoke to consume AuthContext
- tests: add test_auth_org_id.py covering org_id propagation, null handling, and 401 rejection paths

Refs: GOV-11 (DL-1)
Merges the DL-4 CI improvements from dev:
- Updated ci.yml with dev branch trigger, Python 3.12, and 60% coverage
- Updated pyproject.toml with relaxed mypy config and 60% coverage threshold
- Updated settings.py with extra='ignore' for unknown env vars
- Updated conftest.py with StaticPool and hash_api_key fixtures
- Fixes to test files matching actual implementation behavior

Re-applied DL-1's api.py changes on top of dev's reformatted version:
- AuthContext import and usage in rotate/revoke/precheck/postcheck
- key_hash lookup replacing the removed APIKey.key column
@Shaivpidadi
Shaivpidadi merged commit acad840 into dev Apr 20, 2026
4 checks passed
@Shaivpidadi
Shaivpidadi deleted the feat/dl-1-apikey-org-id branch April 20, 2026 16:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant