Skip to content

feat(agent): use fully-qualified API scopes and centralize agent scope set#153

Merged
paullatzelsperger merged 2 commits into
eclipse-cfm:mainfrom
paullatzelsperger:feat/qualified-api-scopes
Jul 10, 2026
Merged

feat(agent): use fully-qualified API scopes and centralize agent scope set#153
paullatzelsperger merged 2 commits into
eclipse-cfm:mainfrom
paullatzelsperger:feat/qualified-api-scopes

Conversation

@paullatzelsperger

Copy link
Copy Markdown
Contributor

Summary

Replaces the short scope constants (read/write/admin, siglet-read/siglet-write) with their fully-qualified equivalents so the agents request the scopes the services actually enforce, and centralizes the agent scope set in the jwtlet activity so seeded scope mappings cannot drift from what the clients request.

Changes

  • controlplane: scopes become management-api:{read,write,admin}. Participant context lifecycle operations require management-api:admin.
  • identityhub: credential operations use resource-scoped identity-api:credentials:{read,write}; participant context create/delete still require identity-api:admin.
  • issuerservice: all operations require issuer-admin-api:admin — the token is bound to the issuer's participant context, so resource-level scopes are rejected with No participant for 'sub = ...' found.
  • siglet: scopes become siglet-mgmt-api:{read,write}.
  • jwtlet activity: introduces agentScopes, sourced directly from the API client constants. The deploy-time token-exchange verification now requests the full set, so a missing scope mapping fails fast at deploy rather than in a downstream agent.

🤖 Generated with Claude Code

paullatzelsperger and others added 2 commits July 9, 2026 15:04
…e set

Replace the short scope constants (read/write/admin, siglet-read/write) with
their fully-qualified equivalents (e.g. management-api:write,
identity-api:credentials:read, siglet-mgmt-api:read) so the agents request the
scopes the services actually enforce.

Notable behavior changes:
- identityhub credential operations use resource-scoped credentials:read/write;
  participant context create/delete still require identity-api:admin.
- issuerservice operations all require issuer-admin-api:admin, since the token
  is bound to the issuer's participant context and resource-level scopes are
  rejected with "No participant for 'sub = ...' found".
- jwtlet's token-exchange verification now requests the full agentScopes set,
  which is sourced from the API clients so the seeded scope mappings cannot
  drift from what the agents request; a missing mapping fails fast at deploy.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds ProcessDeploy tests asserting the deploy-time verification requests a
token for exactly the full agentScopes set (space-joined), and that a failed
exchange — e.g. a scope with no seeded mapping — fails fast with a fatal error
instead of completing.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@paullatzelsperger paullatzelsperger added the enhancement New feature or request label Jul 9, 2026
@paullatzelsperger paullatzelsperger merged commit 11599b0 into eclipse-cfm:main Jul 10, 2026
3 checks passed
@paullatzelsperger paullatzelsperger deleted the feat/qualified-api-scopes branch July 10, 2026 05:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants