Skip to content

Adopt Workstream authorization service baseline#93

Merged
abiorh-claw merged 21 commits into
mainfrom
codex/ws-auth-001-01-adopt-authorization-baseline
Jul 11, 2026
Merged

Adopt Workstream authorization service baseline#93
abiorh-claw merged 21 commits into
mainfrom
codex/ws-auth-001-01-adopt-authorization-baseline

Conversation

@Abiorh001

@Abiorh001 Abiorh001 commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

PR Trust Bundle: WS-AUTH-001-01

Chunk

WS-AUTH-001-01 - Adopt Authorization Baseline And Repository Contracts

Goal

Make the adopted authorization model, canonical /api/v1 namespace,
superseded bootstrap behavior, recovery permissions, and implementation order
unambiguous before application code changes.

Human-Approved Intent

The user explicitly approved D4-D10 and started only WS-AUTH-001-01 on
2026-07-11. No later auth or policy chunk is activated.

What Changed And Why

  • Added ADR 0012, a canonical authorization spec, and an operations runbook.
  • Reconciled active docs and diagrams so token roles and typed profiles are not
    product authority; local grants and guards are canonical.
  • Added a fail-closed scanner, independent regression tests, Agent Gates step,
    and bounded rendering command to prevent documentation drift.
  • Recorded PR Add post-submit policy approval APIs #90 as independently owned while preserving its approved
    correction/activation contract in shared docs.

Design Chosen

External Flow identity verifies authentication facts. Workstream resolves
canonical actors and evaluates system/exact-project grants, registered
permissions, resource/lifecycle guards, revocation, idempotency, invalidation,
and append-only evidence. The scanner rejects authority-shaped token/profile
wording uniformly instead of trying to interpret English negation.

Alternatives Rejected

  • Workstream-owned login/session flows: violates the external auth boundary.
  • Token roles or typed workflow profiles as product authority: not durable,
    scoped, or immediately revocable.
  • A second short API namespace or compatibility alias: creates contract drift.
  • Natural-language negation parsing in the scanner: adversarially ambiguous.
  • Splitting the active-doc reconciliation: leaves contradictory canonical docs.

Scope Control

The diff contains docs, loop memory, diagram sources/generated companions, one
scanner, one renderer, scanner tests, and one additive CI step. It contains no
backend/frontend runtime, schema, migration, dependency, package, or lockfile
changes. All eight imported sources, SHA256SUMS, and SOURCE_MANIFEST.md are
unchanged.

Product Behavior

No runtime behavior changes. Review decisions remain accept,
needs_revision, and reject. PR #90 correction clears unapproved output,
preserves redacted metadata, requeues derivation, and keeps activation blocked
until the current compiled policy is approved.

Acceptance Proof

  • Canonical ADR/spec/runbook and ownership policy exist.
  • Five administrative and three exact-project contributor grants are stable.
  • /api/v1 is canonical with no alias.
  • Active docs, diagrams, roadmap, and durable memory are reconciled.
  • Scanner auto-discovers tracked/untracked active docs and fails closed.
  • Imported source hashes and direct diff checks prove byte immutability.

Tests And Checks

  • 31 agent-gate regression tests passed.
  • Stale authorization and Workstream wording scans passed.
  • Markdown links passed for 44 changed Markdown files.
  • Loop-memory validation and git diff --check passed.
  • Eight archival SHA-256 checks passed.
  • Python and renderer shell syntax passed.
  • Pinned local render completed twice with stable artifact hashes.

Test Delta And CI Integrity

Existing tests were not removed, skipped, or weakened. New fixtures are
independent of production rule definitions. Agent Gates invokes the scanner
directly without continue-on-error; no existing gate or threshold changed.

Reviewer Results

All required tracks passed against implementation freeze
6756e6cb397da5f813eca39fb738633bc24f2ab2, and the administrative evidence
bundle was reviewed at final bound SHA
35152a001e0689782f5c0d59615a59a89e6e2677: senior engineering, QA/test,
security/auth, product/ops, architecture, docs, reuse/dedup, CI integrity, and
test delta. The circuit breaker accepted the documented atomic-docs size
exception.

External Review

Pending PR publication, GitHub checks, CodeRabbit, and human review.

Remaining Risks And Follow-Up

  • Rendering is locally repeatable but not fully cross-host hermetic beyond the
    pinned PlantUML JAR.
  • The externally requested "authorization implementation until auth proof"
    contract phrase remains an acknowledged low wording risk.
  • Production issuer inputs and runtime authorization remain owned by later
    bounded chunks.
  • WS-AUTH-001-02 and WS-POL-002-04 remain inactive.

Human Review Focus

Confirm authority precedence, stable grant/permission names, /api/v1,
recovery boundaries, PR #90 interaction, and that no runtime/review/compensation
behavior was adopted accidentally.

Human Merge Ownership

Only the user may approve and merge this PR. Publication is not merge approval.

Summary by CodeRabbit

  • New Features
    • Added a canonical authorization model covering verified identities, actor profiles, grants, permissions, revocation, and resource-level checks.
    • Added operational guidance for authorization rollout, recovery, auditing, and safe token verification.
  • Documentation
    • Updated architecture, workflows, roles, permissions, lifecycle, and product guidance to reflect permission-based authorization.
    • Added ADR and reference material defining authorization boundaries and migration rules.
  • Bug Fixes
    • Added fail-closed checks to detect stale or conflicting authorization documentation.
  • Tests
    • Added regression coverage for documentation discovery, validation, and workflow enforcement.

@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@Abiorh001, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 20 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 99c5ce7a-b982-4d32-bc85-bf5bcc696e1a

📥 Commits

Reviewing files that changed from the base of the PR and between 5d9b362 and b5217e1.

⛔ Files ignored due to path filters (5)
  • docs/architecture_brief/images/task_lifecycle_sequence.png is excluded by !**/*.png
  • docs/architecture_brief/images/workstream_context.png is excluded by !**/*.png
  • docs/architecture_brief/workstream_architecture_brief.pdf is excluded by !**/*.pdf
  • docs/diagrams/rendered/workstream_context.svg is excluded by !**/*.svg
  • docs/diagrams/rendered/workstream_v01_container.svg is excluded by !**/*.svg
📒 Files selected for processing (71)
  • .agent-loop/LOOP_STATE.md
  • .agent-loop/REVIEW_LOG.md
  • .agent-loop/WORK_QUEUE.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/CHUNK_MAP.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/DECISIONS.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/INTENT.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/STATUS.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-01-adopt-authorization-baseline.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-04-request-api-controls.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-05-authority-evidence-foundation.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-06-canonical-actor-profile.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-08-bootstrap-admin-grants.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-10-project-role-grants.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-12-project-mutation-cutover.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-13-task-assignment-cutover.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-14-submission-checker-cutover.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-01-external-review-response.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-01-internal-review-evidence.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-01-pr-trust-bundle.md
  • .agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/CHUNK_MAP.md
  • .agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/STATUS.md
  • .agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/chunks/WS-POL-002-03-post-submit-policy-approval-visibility.md
  • README.md
  • backend/app/adapters/project_agents/openai_agent_sdk.py
  • backend/tests/test_agent_runtime.py
  • backend/tests/test_projects.py
  • docs/architecture_brief/task_lifecycle_sequence.puml
  • docs/architecture_brief/workstream_architecture_brief.md
  • docs/architecture_checker_framework.md
  • docs/architecture_data_model.md
  • docs/architecture_lifecycle_state_machine.md
  • docs/architecture_lockdown.md
  • docs/architecture_system_architecture.md
  • docs/current_system_data_flow.html
  • docs/decision_0003_project_guides_are_first_class.md
  • docs/decision_0009_review_decisions_are_canonical.md
  • docs/decision_0010_revision_context_rebase.md
  • docs/decision_0011_submission_artifact_policy_drives_pre_submit.md
  • docs/decision_0012_workstream_authorization_service.md
  • docs/diagrams/task_lifecycle_sequence.md
  • docs/diagrams/workstream_context.puml
  • docs/diagrams/workstream_v01_container.puml
  • docs/glossary.md
  • docs/operations_operator_workflow.md
  • docs/operations_payment_reputation.md
  • docs/operations_project_operating_manual.md
  • docs/operations_queue_policy.md
  • docs/operations_reviewer_workflow.md
  • docs/operations_revision_replay.md
  • docs/operations_roles_permissions.md
  • docs/operations_subagent_review_protocol.md
  • docs/principles.md
  • docs/product_brief.md
  • docs/product_first_user_flows.md
  • docs/product_principles.md
  • docs/risk_register.md
  • docs/roadmap_implementation_backlog.md
  • docs/roadmap_status.md
  • docs/roles_permissions.md
  • docs/spec_authorization_service.md
  • docs/template_checker_policy.md
  • docs/template_preflight_evidence.md
  • docs/template_prior_feedback_checklist.md
  • docs/template_project_guide.md
  • docs/template_review_packet.md
  • docs/template_revision_replay.md
  • docs/template_submission_artifact_policy.md
  • docs/template_submission_packet.md
  • docs/template_task_status.md
  • scripts/check_stale_authorization_docs.py
  • scripts/test_agent_gates.py
📝 Walkthrough

Walkthrough

The PR establishes WS-AUTH-001’s authorization baseline through ADRs, specifications, architecture and operations documentation, workflow governance updates, fail-closed stale-document scanning, rendering checks, and review evidence. No runtime authorization implementation is added.

Changes

Authorization baseline and governance

Layer / File(s) Summary
Workstream governance and status
.agent-loop/...
WS-AUTH-001-01 is active, WS-POL-002-03 is tracked under external review, and later chunks require explicit gates.
Authorization contract and evidence
.agent-loop/initiatives/.../chunks/*, .agent-loop/initiatives/.../reviews/*
Documentation scope, acceptance criteria, verification commands, review results, and trust-bundle evidence are defined.
Canonical authorization model
docs/decision_0012_workstream_authorization_service.md, docs/spec_authorization_service.md, docs/architecture_*
Actor profiles, identity links, grants, permissions, authorization guards, revocation, bootstrap, and audit evidence are documented.
Operations and workflow rules
docs/operations_*, docs/template_*, docs/product_*
Operational rollout, recovery, checker failures, role matrices, project setup, and permission-scoped product flows are updated.
Validation and rendering gates
scripts/*, .github/workflows/agent-gates.yml
A fail-closed stale-authorization scanner, pinned documentation renderer, workflow step, and regression tests are added.

Estimated code review effort: 4 (Complex) | ~60 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main change: introducing the Workstream authorization service baseline.
Description check ✅ Passed The description covers the required sections and key details, with only minor template-format differences and missing command/result blocks.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/ws-auth-001-01-adopt-authorization-baseline

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 14

🧹 Nitpick comments (1)
docs/diagrams/workstream_context.puml (1)

33-48: 🔒 Security & Privacy | 🔵 Trivial

Cover PlantUML diagrams with stale-authorization validation.

check_stale_authorization_docs.py scans .md and .html, so this canonical .puml document is currently outside the gate. Extend the scanner or add a dedicated diagram check to prevent stale authorization claims from regressing here without CI detection.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/diagrams/workstream_context.puml` around lines 33 - 48, Extend
check_stale_authorization_docs.py to scan PlantUML files, including the
canonical workstream_context.puml document, and apply the existing
stale-authorization validation to their contents. Ensure the CI gate detects
regressions in authorization claims within .puml files while preserving current
Markdown and HTML scanning.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
@.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-01-pr-trust-bundle.md:
- Around line 95-97: Update the External Review status to mark PR publication as
complete now that PR `#93` exists, while retaining GitHub checks, CodeRabbit, and
human review as pending. Preserve the historical publication information if
needed, but remove the stale “Pending PR publication” wording.

In @.agent-loop/REVIEW_LOG.md:
- Around line 3-5: Update the WS-AUTH-001-01 status entry to reflect that PR
publication is complete, with only external or human review remaining pending.
Alternatively, mark it explicitly as historical implementation-freeze status; do
not leave the publication state as pending.

In @.agent-loop/WORK_QUEUE.md:
- Around line 5-13: Update the WORK_QUEUE.md entry for WS-POL-002-03 so an
implemented chunk in external review is not listed under “Planned Next.” Move it
to an explicit parallel/external-review section, or revise the heading
semantics, while preserving its current title, risk, and status.

In `@docs/architecture_data_model.md`:
- Around line 1461-1464: Update the AuditEvent field documentation for
claim_snapshot and actor_roles to mark them as legacy-only and explicitly
prohibit populating them for authority events. Clarify that new authority-event
records must use only the bounded actor and authorization fields described here,
without raw claims or unnecessary profile data.
- Around line 71-75: Update the ActorIdentityLink documentation to explicitly
require uniqueness of each (issuer, subject) pair and enforce that each
ActorProfile has at most one active identity link in v0.1. State both invariants
as enforceable constraints, while preserving the existing revoked-link and
immutable provenance behavior.
- Around line 454-456: Align the policy example’s approval provenance keys with
the declared fields: update the example to use approved_by_role and
approved_by_actor, or consistently rename the declared fields and canonical
schema to the existing ID-based keys. Ensure the field list, schema, and example
use one identical representation without losing approval provenance.

In `@docs/diagrams/task_lifecycle_sequence.md`:
- Around line 21-26: Update the task lifecycle sequence flows around
AuthorizationContext resolution to show AuthorizationService.require(...),
candidate-grant evaluation, and the applicable resource/lifecycle guards before
each state-changing project, task, claim, or review operation; alternatively
label AuthorizationContext explicitly as a precondition rather than
authorization. Apply the same correction to the referenced flow sections.

In `@docs/diagrams/workstream_context.puml`:
- Line 48: Update the label on the workstream-to-flow_auth relationship to use
the canonical wording “verifies externally issued Flow tokens” instead of
“verifies identity tokens,” without changing the relationship itself.

In `@docs/glossary.md`:
- Around line 141-144: Update the glossary definition for the permission-scoped
projection of a task’s locked guide and policy provenance to include Audit
alongside Project Manager and Operator, matching the authorized roles documented
for locked-context.

In `@docs/operations_operator_workflow.md`:
- Line 46: Update step 7 in the operator workflow to explicitly list all three
failure paths: apply covered repair for eligible issues, use registered Operator
retry for infrastructure or setup failures, and route worker-fixable blockers to
NEEDS_REVISION. Preserve the existing daily-loop requirement so no checker
failure is omitted.

In `@docs/operations_roles_permissions.md`:
- Around line 45-64: Update the Capability Matrix to define Both as the union of
Submitter and Reviewer capabilities, either by adding a Both column or an
explicit inheritance rule. Preserve the existing self-review and lifecycle
guards when documenting the combined grant’s allowed actions.

In `@docs/product_brief.md`:
- Around line 60-64: Align the persona definitions in docs/product_brief.md so
Operator consistently means runtime-health inspection and registered recovery,
not task creation or evidence submission. Rename the earlier task/evidence
persona or split it from Project Manager and Operator, preserving the separate
authority boundaries and matching the contributor-versus-administrative
distinction in operations_roles_permissions.md.

In `@docs/spec_authorization_service.md`:
- Around line 80-86: Clarify the permitted scope for the system-scoped
project_manager grant in the authorization specification, explicitly defining
whether it covers all projects, represents a separate administrative capability,
or is invalid. Apply the same decision consistently in the API and guard
contracts, including the related grant-scope section, and remove any
contradictory scope language.
- Around line 91-100: Replace the persisted contributor grant name `both` with a
specific value such as `submitter_reviewer` throughout the authorization
contract. Update the related grant catalog, migration contracts, and tests
consistently, while preserving its union of submitter and reviewer capabilities
and existing lifecycle/separation-of-duties guards.

---

Nitpick comments:
In `@docs/diagrams/workstream_context.puml`:
- Around line 33-48: Extend check_stale_authorization_docs.py to scan PlantUML
files, including the canonical workstream_context.puml document, and apply the
existing stale-authorization validation to their contents. Ensure the CI gate
detects regressions in authorization claims within .puml files while preserving
current Markdown and HTML scanning.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: f261bc4d-2d85-4c44-8406-4c52ab2baa92

📥 Commits

Reviewing files that changed from the base of the PR and between 14fb216 and 5d9b362.

⛔ Files ignored due to path filters (6)
  • docs/architecture_brief/images/task_lifecycle_sequence.png is excluded by !**/*.png
  • docs/architecture_brief/images/workstream_context.png is excluded by !**/*.png
  • docs/architecture_brief/images/workstream_v01_container.png is excluded by !**/*.png
  • docs/architecture_brief/workstream_architecture_brief.pdf is excluded by !**/*.pdf
  • docs/diagrams/rendered/workstream_context.svg is excluded by !**/*.svg
  • docs/diagrams/rendered/workstream_v01_container.svg is excluded by !**/*.svg
📒 Files selected for processing (54)
  • .agent-loop/LOOP_STATE.md
  • .agent-loop/REVIEW_LOG.md
  • .agent-loop/WORK_QUEUE.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/CHUNK_MAP.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/DECISIONS.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/INTENT.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/PLAN.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/RISKS.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/STATUS.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-01-adopt-authorization-baseline.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-12-project-mutation-cutover.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-01-internal-review-evidence.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-01-pr-trust-bundle.md
  • .agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/CHUNK_MAP.md
  • .agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/STATUS.md
  • .agent-loop/policies/repository-engineering-policy.md
  • .github/workflows/agent-gates.yml
  • README.md
  • docs/architecture_brief/task_lifecycle_sequence.puml
  • docs/architecture_checker_framework.md
  • docs/architecture_data_model.md
  • docs/architecture_lifecycle_state_machine.md
  • docs/architecture_lockdown.md
  • docs/architecture_system_architecture.md
  • docs/current_system_data_flow.html
  • docs/decision_0003_project_guides_are_first_class.md
  • docs/decision_0009_review_decisions_are_canonical.md
  • docs/decision_0011_submission_artifact_policy_drives_pre_submit.md
  • docs/decision_0012_workstream_authorization_service.md
  • docs/diagrams/task_lifecycle_sequence.md
  • docs/diagrams/workstream_context.puml
  • docs/diagrams/workstream_v01_container.puml
  • docs/glossary.md
  • docs/operations_authorization_service.md
  • docs/operations_operator_workflow.md
  • docs/operations_project_operating_manual.md
  • docs/operations_queue_policy.md
  • docs/operations_roles_permissions.md
  • docs/product_brief.md
  • docs/product_first_user_flows.md
  • docs/reference_specs/README.md
  • docs/risk_register.md
  • docs/roadmap_implementation_backlog.md
  • docs/roadmap_status.md
  • docs/roles_permissions.md
  • docs/spec_authorization_service.md
  • docs/spec_chunk_2_auth_actor_boundary.md
  • docs/template_checker_policy.md
  • docs/template_project_guide.md
  • docs/template_revision_replay.md
  • docs/template_submission_artifact_policy.md
  • scripts/check_stale_authorization_docs.py
  • scripts/render_authorization_docs.sh
  • scripts/test_agent_gates.py

Comment thread .agent-loop/REVIEW_LOG.md Outdated
Comment thread .agent-loop/WORK_QUEUE.md Outdated
Comment thread docs/architecture_data_model.md
Comment thread docs/architecture_data_model.md
Comment thread docs/operations_operator_workflow.md Outdated
Comment thread docs/operations_roles_permissions.md
Comment thread docs/product_brief.md
Comment thread docs/spec_authorization_service.md
Comment thread docs/spec_authorization_service.md Outdated
Comment on lines +91 to +100
### Project Contributor Grants

| Grant | Exact-project capability |
|---|---|
| `submitter` | Minimal project read, task queue read/claim, own submission create/read, own review-chain read. |
| `reviewer` | Minimal project read, review queue/claim/release/decision, submission read for review, review-chain read. |
| `both` | Union of submitter and reviewer candidates, still subject to separation-of-duties and lifecycle guards. |

`worker` describes the task participant and remains in lifecycle/audit wording.
`submitter` is the persisted authority grant.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Replace the ambiguous persisted grant name both.

both is a canonical contributor grant, but it does not identify the capabilities it unions. Rename it to an actor- or subsystem-specific value such as submitter_reviewer before locking this contract, and update the related catalog, migration contracts, and tests.

As per coding guidelines, persisted roles and lifecycle names should prefer subsystem- or actor-specific names over vague labels.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/spec_authorization_service.md` around lines 91 - 100, Replace the
persisted contributor grant name `both` with a specific value such as
`submitter_reviewer` throughout the authorization contract. Update the related
grant catalog, migration contracts, and tests consistently, while preserving its
union of submitter and reviewer capabilities and existing
lifecycle/separation-of-duties guards.

Source: Coding guidelines

Abiorh001 added 14 commits July 11, 2026 19:05
…adopt-authorization-baseline

# Conflicts:
#	.agent-loop/LOOP_STATE.md
#	.agent-loop/REVIEW_LOG.md
#	.agent-loop/WORK_QUEUE.md
#	.agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/CHUNK_MAP.md
#	.agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/STATUS.md
#	docs/architecture_lifecycle_state_machine.md
#	docs/operations_project_operating_manual.md
#	docs/operations_queue_policy.md
#	docs/product_first_user_flows.md
…adopt-authorization-baseline

# Conflicts:
#	.agent-loop/LOOP_STATE.md
#	.agent-loop/REVIEW_LOG.md
#	.agent-loop/WORK_QUEUE.md
#	.agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/CHUNK_MAP.md
#	.agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/STATUS.md
@abiorh-claw abiorh-claw self-requested a review July 11, 2026 20:14
@abiorh-claw abiorh-claw merged commit 772af1d into main Jul 11, 2026
3 checks passed
@abiorh-claw abiorh-claw deleted the codex/ws-auth-001-01-adopt-authorization-baseline branch July 11, 2026 20:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants