feat: add redis-backed shadow mcp access API

[alx-xo]

Summary

This PR adds the Shadow MCP access management API, with request/rule persistence backed by the temporary generic Redis access-control store instead of database tables.

The public API is still Shadow MCP-specific because that is the alpha product surface, but the internal backing model is generic:

• accesscontrol.Store owns access requests and access rules
• Redis stores state by organization and resource type
• Shadow MCP is represented as resource_type = "shadow_mcp"
• rules support allow/deny disposition, project/org scope, match kind/value, display metadata, and observed evidence
• request decisions can atomically approve/deny a request and create resulting rules
• rule matching/canonicalization is shared through matchvalue

The API provides:

• list/create approval requests
• approve/deny approval requests
• list/create/update/delete access rules
• signed request-token submission for authenticated users
• audit events for request and rule mutations
• generated Goa server/client and TypeScript SDK/react-query clients

This PR also moves the risk approval endpoints onto the new access-rule store and restores the AI integrations service mount that was dropped during the stack work. It intentionally does not add access-control database tables or migrations.

Verification

• API branch: mise run test:server ./internal/aiintegrations passed, 14 tests
• API branch: mise run test:server ./internal/risk ./internal/shadowmcp -run 'TestApproveShadowMCP|TestListShadowMCPApprovals|TestRevokeShadowMCPApproval|TestAddAndListShadowMCPApprovals|TestIsShadowMCPApproved' -count=1 passed, 25 tests
• Top of stack: rg -n "shadow-mcp-allow|AddShadowMCPApproval|RemoveShadowMCPApproval|IsShadowMCPApproved|func CanonicalizeMatch\(" server/internal client/dashboard returned no matches
• Top of stack: mise run test:server ./internal/accesscontrol ./internal/access ./internal/risk ./internal/shadowmcp ./internal/hooks -count=1 passed, 458 tests
• Top of stack: mise run lint:server passed
• Top of stack: pnpm --dir client/dashboard type-check passed
• Top of stack: pnpm --dir client/dashboard exec vitest run src/components/access/ShadowMCPAccessContent.test.tsx passed, 3 tests
• Top of stack: git diff --check passed

Stack

• feat: add redis-backed shadow mcp access API #2763 Redis-backed Shadow MCP access API
• feat: enforce shadow mcp access rules #2771 Shadow MCP runtime enforcement
• feat: add shadow mcp request links #2796 blocked hook request-access links
• feat: add shadow mcp access rules dashboard #2831 dashboard access rules UI

https://linear.app/speakeasy/issue/AGE-2585/feat-add-redis-backed-shadow-mcp-access-api

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gram-docs-redirect	Ready	Preview, Comment	May 28, 2026 9:26pm

[changeset-bot]

🦋 Changeset detected

Latest commit: d1f9e60

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
server	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[cubic-dev-ai]

2 issues found across 92 files

<sub>Partial review: This PR has more than 50 files, so cubic reviewed the highest-priority files first. During the trial, paid plans get a higher file limit.
You can try an ultrareview to bypass the file limit, comment @cubic-dev-ai ultrareview. Learn more.

Fix all with cubic | Re-trigger cubic</sub>

[linear-code]

AGE-2585