feat(agent): use fully-qualified API scopes and centralize agent scope set#153
Merged
paullatzelsperger merged 2 commits intoJul 10, 2026
Conversation
…e set Replace the short scope constants (read/write/admin, siglet-read/write) with their fully-qualified equivalents (e.g. management-api:write, identity-api:credentials:read, siglet-mgmt-api:read) so the agents request the scopes the services actually enforce. Notable behavior changes: - identityhub credential operations use resource-scoped credentials:read/write; participant context create/delete still require identity-api:admin. - issuerservice operations all require issuer-admin-api:admin, since the token is bound to the issuer's participant context and resource-level scopes are rejected with "No participant for 'sub = ...' found". - jwtlet's token-exchange verification now requests the full agentScopes set, which is sourced from the API clients so the seeded scope mappings cannot drift from what the agents request; a missing mapping fails fast at deploy. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds ProcessDeploy tests asserting the deploy-time verification requests a token for exactly the full agentScopes set (space-joined), and that a failed exchange — e.g. a scope with no seeded mapping — fails fast with a fatal error instead of completing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
wolf4ood
approved these changes
Jul 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the short scope constants (
read/write/admin,siglet-read/siglet-write) with their fully-qualified equivalents so the agents request the scopes the services actually enforce, and centralizes the agent scope set in the jwtlet activity so seeded scope mappings cannot drift from what the clients request.Changes
management-api:{read,write,admin}. Participant context lifecycle operations requiremanagement-api:admin.identity-api:credentials:{read,write}; participant context create/delete still requireidentity-api:admin.issuer-admin-api:admin— the token is bound to the issuer's participant context, so resource-level scopes are rejected withNo participant for 'sub = ...' found.siglet-mgmt-api:{read,write}.agentScopes, sourced directly from the API client constants. The deploy-time token-exchange verification now requests the full set, so a missing scope mapping fails fast at deploy rather than in a downstream agent.🤖 Generated with Claude Code