Skip to content

Phase 7 SCIM provisioning + review hardening #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
scarson merged 57 commits into from
Mar 26, 2026
Merged

Phase 7 SCIM provisioning + review hardening #57

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
57 commits
Select commit Hold shift + click to select a range
207b605
docs: add revised Phase 7 SCIM provisioning design and implementation…
scarson Mar 19, 2026
313ef53
docs: add subagent-readiness hardening to SCIM implementation plan
scarson Mar 19, 2026
3ec8544
docs: mark original Phase 7 SCIM plans as superseded
scarson Mar 19, 2026
c92db1f
migration(042): add org_members.deactivated_at + scim_exempt columns
scarson Mar 19, 2026
8783d6f
migration(043): add group_members.scim_managed column
scarson Mar 19, 2026
780034c
migration(044): create scim_configs table with RLS
scarson Mar 19, 2026
768b37a
migration(045): create scim_groups + scim_group_members with RLS
scarson Mar 19, 2026
dea4592
feat(secure): add SCIM security event type constants
scarson Mar 19, 2026
fd73d55
feat: add SCIM context key and rate limit config
scarson Mar 19, 2026
b7cbfe5
sqlc: regenerate after SCIM migrations (000042-000045)
scarson Mar 19, 2026
e50b09a
Merge branch 'dev' into worktree-agent-a8214c1e
scarson Mar 19, 2026
ca7789c
sqlc: add deactivation and active member count queries
scarson Mar 19, 2026
e85fcdb
feat(store): org member deactivation + count methods
scarson Mar 19, 2026
71c253d
sqlc: add SCIM config migration and queries
scarson Mar 19, 2026
c58afa3
feat(store): SCIM config CRUD with RLS + bypass-tx token lookup
scarson Mar 19, 2026
0e21d8b
migration(042-045): SCIM prerequisite tables (deactivation, scim_mana…
scarson Mar 19, 2026
c2983d1
sqlc: add SCIM group and membership queries
scarson Mar 19, 2026
3010a34
feat(store): SCIM group and membership methods with RLS
scarson Mar 19, 2026
373b977
Merge branch 'worktree-agent-aa608d34' into dev
scarson Mar 19, 2026
17cf79b
Merge branch 'worktree-agent-a2010b46' into dev
scarson Mar 19, 2026
1b7a0d0
feat(auth): SCIM bearer token generation + hashing
scarson Mar 19, 2026
370855e
Merge remote-tracking branch 'origin/dev' into worktree-agent-a8c57462
scarson Mar 19, 2026
97f4a4d
Merge branch 'refs/heads/dev' into worktree-agent-a8c57462
scarson Mar 19, 2026
9fcb75d
feat(api): deactivated org members get 403 in RequireOrgRole
scarson Mar 19, 2026
7460f45
feat(api): SCIM 2.0 response types, error helper, filter parser
scarson Mar 19, 2026
275e5da
feat(api): SCIM role recomputation from group mappings
scarson Mar 19, 2026
d7e4774
feat(api): member PATCH supports active + scim_exempt fields
scarson Mar 19, 2026
d9122cc
feat(store): SCIM config migration, sqlc queries, store methods, and …
scarson Mar 19, 2026
217a5b0
feat(api): SCIM bearer token auth middleware with security events
scarson Mar 19, 2026
994260c
feat(api): notification group sync from SCIM group mappings
scarson Mar 19, 2026
7260e8e
feat(api): block SSO delete when SCIM config exists (409)
scarson Mar 19, 2026
3c1a2aa
feat(api): dedicated SCIM rate limiter (configurable per org)
scarson Mar 19, 2026
c6fdd02
Merge branch 'worktree-agent-a264db9f' into dev
scarson Mar 19, 2026
4549308
Merge branch 'worktree-agent-ac5dbd9c' into dev
scarson Mar 19, 2026
5c1e0e8
fix: remove duplicate writeSCIMError from middleware_scim.go
scarson Mar 19, 2026
40a8799
docs: review and refine fixture corpus plan for subagent-readiness
scarson Mar 19, 2026
6e1fd05
feat(api): SCIM group handlers (create, get, list, put, patch, delete)
scarson Mar 19, 2026
cd7d50a
feat(api): SCIM user handlers (create, get, list, put, patch, delete)
scarson Mar 19, 2026
bcab5b8
feat(api): SCIM config admin endpoints + group mapping with immediate…
scarson Mar 19, 2026
c48cfea
Merge branch 'worktree-agent-a36efd1b' into dev
scarson Mar 19, 2026
6febfda
Merge branch 'worktree-agent-a08b220e' into dev
scarson Mar 19, 2026
89dd4af
feat(api): mount SCIM User routes + discovery endpoints
scarson Mar 19, 2026
7cb5651
Merge remote-tracking branch 'origin/dev' into worktree-agent-af3062bf
scarson Mar 19, 2026
b04ac2a
Merge branch 'dev' into worktree-agent-af3062bf
scarson Mar 19, 2026
1c60619
feat(scim): complete audit logging + security event verification
scarson Mar 19, 2026
a426d4d
feat(scim): add missing security event emissions to user handlers
scarson Mar 19, 2026
103834b
Merge branch 'worktree-agent-af3062bf' into dev
scarson Mar 19, 2026
474da40
test(scim): end-to-end SCIM provisioning integration tests
scarson Mar 19, 2026
075d13e
fix: unused parameter lint warnings in SCIM discovery handlers
scarson Mar 19, 2026
8e68fe4
docs: add autonomous decisions appendix to SCIM implementation plan
scarson Mar 19, 2026
c24012b
fix(scim): harden Phase 7 SCIM after security/pitfall/plan review
scarson Mar 20, 2026
68afd8c
refactor(scim): remove redundant manual orgID checks
scarson Mar 20, 2026
d70048a
refactor(store): add orgID to GetGroupIfActive for defense-in-depth
scarson Mar 20, 2026
dc73545
docs: add MSRC adapter CSAF fix + Phase 10 completion plan
scarson Mar 20, 2026
09d9068
fix(store): add org_id constraint to SCIM-managed group member methods
scarson Mar 20, 2026
3f074cb
Merge pull request #56 (fix(scim): harden Phase 7 SCIM after security…
scarson Mar 20, 2026
af1b49b
docs: add autonomous decision appendix to MSRC CSAF fix plan
scarson Mar 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions dev/plans/2026-03-01-phase7-scim-provisioning-design.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@
**Depends on:** Phase 5D (Generic OIDC — `sso_connections` table, tier gating, audit log)
**Library:** `marcelom97/scimgateway` v1.0.0 (MIT, embeddable `http.Handler`, slog integration)

**For Claude:** CRITICAL NOTE (2026-03-19): This design was never implemented and is maintained for historical reference only. It's superseded by dev\plans\2026-03-19-phase7-scim-provisioning-design-v2.md and dev\plans\2026-03-19-phase7-scim-implementation-plan-v2.md.

## Scope Decisions

| Item | Decision |
Expand Down
2 changes: 1 addition & 1 deletion dev/plans/2026-03-02-phase7-scim-implementation-plan.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Phase 7: SCIM 2.0 Provisioning — Implementation Plan

> **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task.
**For Claude:** CRITICAL NOTE (2026-03-19): This design was never implemented and is maintained for historical reference only. It's superseded by dev\plans\2026-03-19-phase7-scim-provisioning-design-v2.md and dev\plans\2026-03-19-phase7-scim-implementation-plan-v2.md.

**Goal:** Implement SCIM 2.0 user and group provisioning so enterprise IdPs (Microsoft Entra ID, Okta) can automatically manage CVErt Ops org membership, roles, and notification groups.

Expand Down
229 changes: 193 additions & 36 deletions dev/plans/2026-03-15-phase10-test-fixture-corpus-plan.md
View file
Open in desktop

Large diffs are not rendered by default.

Loading
Loading