Context
chat-app CI artifacts from run 26158428825 show llm-proxy returning 403 access denied after resolving the model endpoint in TestLLM. This likely causes agent reply and trace-link timeouts.
The suspected missing authorization tuple is:
user=identity:<agent_id>
relation=member
object=organization:<org_id>
Without this tuple, model.can_use membership checks from organization membership fail for agent identities.
Intent
- On
CreateAgent, write the OpenFGA tuple for the created agent identity as an organization member.
- On
DeleteAgent, remove that tuple.
- On rollback from a failed delete, restore the tuple.
- Add unit tests covering tuple writes, deletes, and restore-on-rollback behavior.
Notes
Use @main everywhere; do not pin cross-repo actions or dependencies for this fix.
Context
chat-app CI artifacts from run 26158428825 show llm-proxy returning
403 access deniedafter resolving the model endpoint inTestLLM. This likely causes agent reply and trace-link timeouts.The suspected missing authorization tuple is:
Without this tuple,
model.can_usemembership checks from organization membership fail for agent identities.Intent
CreateAgent, write the OpenFGA tuple for the created agent identity as an organization member.DeleteAgent, remove that tuple.Notes
Use
@maineverywhere; do not pin cross-repo actions or dependencies for this fix.