chore: improvements in TBAC docs

[aaguiarz]

Description

What problem is being solved?

How is it being solved?

What changes are made to solve it?

References

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

Release Notes

• Documentation
  • Updated task-based authorization documentation with improved terminology and clarified examples
  • Refined expiration and rate-limiting model examples with updated semantics
  • Added guidance on tuple cleanup when tasks complete
  • Enhanced documentation clarity around permission scoping and agent binding scenarios

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b11c331a-2b73-4ea9-82f3-92c2cc25aa84

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

The documentation for task-based authorization in OpenFGA was updated to rephrase permission terminology, convert the expiration model from turn-count to call-count semantics, rename the agent relation from agent_in_context to calling_agent, and add new sections on tuple cleanup and further reading.

Changes

Cohort / File(s)

Summary

Documentation updates docs/content/modeling/agents/task-based-authorization.mdx

Revised credentials and permissions framing; updated OpenFGA "Expiration" section to replace turn-based limit semantics (turn_count, turns_granted, current_turn) with call-count semantics (max_call_count, max_tool_calls, current_tool_count); renamed model relation agent_in_context to calling_agent in "Binding agents to tasks" section; added "Tuple cleanup" section for task completion; added new "Further reading" link; updated references from "turn count" to "call count" throughout.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: New 'Authorization for Agents' section #1222 — Introduced the initial OpenFGA model concepts (can_call, session/agent/task relations) that this PR revises with updated semantics and terminology.

Suggested reviewers

• dyeam0
• rhamzeh
• ttrzeng

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'chore: improvements in TBAC docs' is vague and generic, using the non-descriptive term 'improvements' that doesn't convey what specific changes were made to the documentation.	Replace with a more specific title that describes the actual changes, such as 'docs: update TBAC authorization model semantics and terminology' or 'docs: refactor TBAC examples with call-count and relation naming updates'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/tbac-improvements

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR refines the Task-Based Authorization (TBAC) documentation for agents by improving wording, clarifying modeling patterns, and updating the conditions example from “turn count” to “tool call count”.

Changes:

• Reworded introductory and domain-modeling guidance to better frame TBAC and task principals.
• Updated the conditions example to use a max_call_count condition and related terminology (“call count”).
• Expanded/adjusted later sections (agent binding naming, new tuple cleanup guidance, and an added further-reading resource).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

PR Preview Action v1.8.1
Preview removed because the pull request was closed.
2026-04-07 02:33 UTC

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/content/modeling/agents/task-based-authorization.mdx (1)

187-210: ⚠️ Potential issue | 🟡 Minor

Clarify call-count boundary semantics to avoid off-by-one integrations.

current_tool_count < max_tool_calls is correct, but the docs should explicitly state whether current_tool_count is evaluated before the attempted call (recommended) and show one concrete check-context example. Without that, implementers can enforce one extra or one fewer call.

✍️ Suggested doc tweak

-The `expiration` condition grants access for a fixed duration from the grant time. The `max_call_count` condition limits how many times the tool can be called. When writing the tuple, you provide the condition parameters:
+The `expiration` condition grants access for a fixed duration from the grant time.  
+The `max_call_count` condition limits how many times the tool can be called.
+Evaluate `current_tool_count` **before** the attempted call (0-based).
+When writing the tuple, you provide the condition parameters:
@@
-When checking access, pass the current time or current call count in the request context.
+When checking access, pass the current time or current call count in the request context.  
+Example for call count: `{"current_tool_count": 1}` with `max_tool_calls: 2` still allows the second call.

Also applies to: 224-234

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/content/modeling/agents/task-based-authorization.mdx` around lines 187 -
210, Update the docs around the max_call_count condition to clarify boundary
semantics: explicitly state that current_tool_count is evaluated before the
attempted call (so the condition current_tool_count < max_tool_calls allows
another call when the current count is strictly less than the limit), and add a
concrete example showing values before and after a call (e.g., max_tool_calls=3,
current_tool_count=2 permits the call; after the call current_tool_count becomes
3 and subsequent calls are denied). Reference the condition name max_call_count
and the parameters max_tool_calls and current_tool_count so readers can find and
update the explanation and add the single concrete check-context example in the
same section.

🧹 Nitpick comments (1)

docs/content/modeling/agents/task-based-authorization.mdx (1)

319-319: Split the first “Further reading” bullet for scanability.

This line is dense with three resources in one bullet; splitting into a primary link plus sub-links will improve readability.

✍️ Suggested formatting

-- [From Scopes To Intent: Reimagining Authorization for Autonomous Agents](https://mcpdevsummitna26.sched.com/event/2Hbg0/from-scopes-to-intent-reimagining-authorization-for-autonomous-agents-andres-aguiar-abhishek-hingnikar-okta), MCP Dev Summit NY 2026 [code repository](https://github.com/aaguiarz/ibac-talk-demo) and [demo](https://www.youtube.com/watch?v=IVIvtusd7LA)
+- [From Scopes To Intent: Reimagining Authorization for Autonomous Agents](https://mcpdevsummitna26.sched.com/event/2Hbg0/from-scopes-to-intent-reimagining-authorization-for-autonomous-agents-andres-aguiar-abhishek-hingnikar-okta) — MCP Dev Summit NY 2026
+  - [Code repository](https://github.com/aaguiarz/ibac-talk-demo)
+  - [Demo](https://www.youtube.com/watch?v=IVIvtusd7LA)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/content/modeling/agents/task-based-authorization.mdx` at line 319,
Replace the single dense "Further reading" bullet that contains the "From Scopes
To Intent: Reimagining Authorization for Autonomous Agents" entry with a primary
bullet linking to the talk (use the existing title link as the main item) and
two nested sub-bullets that separately link to the code repository and the
demo/video; locate the line containing the full combined entry ("From Scopes To
Intent: Reimagining Authorization for Autonomous Agents...") and split it into
one top-level bullet for the talk and two indented bullets for "[code
repository](https://github.com/aaguiarz/ibac-talk-demo)" and
"[demo](https://www.youtube.com/watch?v=IVIvtusd7LA)" to improve scanability.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@docs/content/modeling/agents/task-based-authorization.mdx`:
- Around line 187-210: Update the docs around the max_call_count condition to
clarify boundary semantics: explicitly state that current_tool_count is
evaluated before the attempted call (so the condition current_tool_count <
max_tool_calls allows another call when the current count is strictly less than
the limit), and add a concrete example showing values before and after a call
(e.g., max_tool_calls=3, current_tool_count=2 permits the call; after the call
current_tool_count becomes 3 and subsequent calls are denied). Reference the
condition name max_call_count and the parameters max_tool_calls and
current_tool_count so readers can find and update the explanation and add the
single concrete check-context example in the same section.

---

Nitpick comments:
In `@docs/content/modeling/agents/task-based-authorization.mdx`:
- Line 319: Replace the single dense "Further reading" bullet that contains the
"From Scopes To Intent: Reimagining Authorization for Autonomous Agents" entry
with a primary bullet linking to the talk (use the existing title link as the
main item) and two nested sub-bullets that separately link to the code
repository and the demo/video; locate the line containing the full combined
entry ("From Scopes To Intent: Reimagining Authorization for Autonomous
Agents...") and split it into one top-level bullet for the talk and two indented
bullets for "[code repository](https://github.com/aaguiarz/ibac-talk-demo)" and
"[demo](https://www.youtube.com/watch?v=IVIvtusd7LA)" to improve scanability.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 20a64444-7f97-49eb-ac48-4f5599cc46e5

📥 Commits

Reviewing files that changed from the base of the PR and between 3d5721d and de39fce.

📒 Files selected for processing (1)

• docs/content/modeling/agents/task-based-authorization.mdx