Design: cross-org issue filing with bidirectional authorization (#672)#980
Design: cross-org issue filing with bidirectional authorization (#672)#980ralphbean wants to merge 5 commits into
Conversation
Captures the design for bidirectional cross-org authorization (send_issues_to / accept_issues_from), a new cross-org-propose mint role, and the enforcement split between mint and post-script. Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com> Signed-off-by: Ralph Bean <rbean@redhat.com>
Proposes extending the central token mint with a cross-org-propose role and bidirectional config-driven authorization (send_issues_to / accept_issues_from) for cross-org issue filing. Relates to #672. Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com> Signed-off-by: Ralph Bean <rbean@redhat.com>
Adds a consequence noting that GitLab-to-GitHub cross-org minting is a natural extension but requires separate mint changes for OIDC issuer validation and downstream identity. Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com> Signed-off-by: Ralph Bean <rbean@redhat.com>
Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com> Signed-off-by: Ralph Bean <rbean@redhat.com>
|
fullsend review is working on this — view logs |
Site previewPreview: https://00c9291a-site.fullsend-ai.workers.dev Commit: |
Review: #980Head SHA: c0cb811 SummaryClean docs-only PR adding a design spec and ADR for cross-org issue filing, directly addressing #672. The bidirectional authorization model (downstream FindingsMedium
Info
FooterOutcome: approve Previous runReview: #980Head SHA: eb3c99c SummaryThis PR introduces a well-designed bidirectional authorization model for cross-org issue filing, addressing #672. The design spec and ADR 0037 are logically consistent, follow established repo conventions, and correctly extend the token mint architecture from ADR 0029. The enforcement split (mint checks upstream authorization, post-script checks downstream intent) is clean and maintains least-privilege. No security, correctness, or injection concerns were found. FindingsInfo
FooterOutcome: approve |
![fullsend-ai-review[bot]](https://avatars.githubusercontent.com/in/3478501?s=60&v=4){kind=small}
Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com> Signed-off-by: Ralph Bean <rbean@redhat.com>
|
fullsend review is working on this — view logs |
|
I just had a thought (that I need to take up another day): this doesn't account for multiple mints; self-managed mints. What if the upstream you want to contribute to uses a different mint than you do? Do you need to configure their target mint url explicitly as a downstream? Perhaps there's another option to explore here: could upstream offer a workflow that provides a way for a trusted downstream to borrow its mint? Unclear - will think on it more tomorrow. |
High issues fixed: - Renumber ADR from 0037 to 0038 to avoid collision with PR fullsend-ai#980 which also uses ADR-0037 (cross-org-token-minting). Updated all references from ADR-0037 to ADR-0038 in both the ADR file and implementation plan. Medium issues fixed: - Promote atomic cache writes from TODO to Phase 1 requirement. Added explicit requirement to Phase 1 deliverables and updated CachePut comment to reference the requirement instead of vague TODO. - Promote double-encoding mitigation from TODO to Phase 1 requirement. Added explicit requirement to Phase 1 deliverables specifying either iterative decoding (max 3 iterations) or rejection of URLs with %25. Updated matchesAllowedPrefix comment to reference the requirement. Low issues (not fixed per user instruction): - DefaultPolicy includes gitlab.com - Placeholder import paths in illustrative code Note: High issue about README adding pre-existing plans is about PR description scope, not a code change needed. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Medium: - Add explanatory comment to ADR documenting why it's numbered 0038 instead of 0037 (to avoid collision with PR fullsend-ai#980 which uses ADR-0037 for cross-org-token-minting) Low: - Update PR description to clarify that README change documents the new universal-harness-access plan alongside three pre-existing plan files that were previously unlisted, and to note ADR numbering rationale Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Medium: - Update HTML comment to reference ADR title "Cross-org token minting for issue proposals" instead of PR branch name, clarifying which ADR in PR fullsend-ai#980 this is avoiding collision with Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
1 participant
Summary
send_issues_to/accept_issues_from) and a newcross-org-proposemint roleWhat's here
docs/superpowers/specs/2026-05-14-cross-org-issue-filing-design.md): full design covering config keys, enforcement split (mint checks upstream, post-script checks downstream), workflow changes, post-script changes, failure modes, and testingdocs/ADRs/0037-cross-org-token-minting.md): decision record for extending the mint with config-reading capability for cross-org authorization, with open question on cross-forge federation (references ADR 0028, ADR 0029)Key design decisions
send_issues_to, upstream declaresaccept_issues_from. Both must agree.accept_issues_from(only entity with cross-org visibility). Post-script checks downstream'ssend_issues_to..fullsend/config.yamlfirst, fall back to org.fullsend/config.yaml.cross-org-proposerequests only. All other roles stay stateless.When accepted, these living docs need updating
docs/architecture.md— "Decided:" block in the federation section linking to ADR 0037docs/problems/security-threat-model.md— consider noting the mint's new config-reading surfaceRelated
target_repoto known-valid destinations)