vvzvlad/gitmost
1
0
Fork 0
Code Issues 14 Pull Requests 12 Packages Projects Releases Activity

fix(provenance): address #143 re-review — shared resolver + decoupled badge

Browse Source 
Architecture & design:
- Arch A: introduce resolveProvenance() as the single source of truth for
  deriving a write's actor/aiChatId from the SIGNED identity, and wire it into
  BOTH transport seams — the REST jwt.strategy and the collab
  authentication.extension. Previously the collab seam derived actor from the
  token claim alone and ignored user.isAgent, so a flagged service account's
  page-content edits over the websocket persisted as lastUpdatedSource='user',
  drifting from REST. The seams now share one resolver and can't diverge.
- Arch B: drop AiAgentBadge's page-history coupling. The generic ui/ badge no
  longer imports historyAtoms; it exposes an onActivate callback fired after the
  deep-link, and the history row passes onActivate to close its own modal.

Suggestions/warnings:
- S1: soften the jwt.strategy provenance comment (applies to every REST write).
- S2/suggestion-3: drop the redundant comment-list-item null-aiChatId test
  (covered by ai-agent-badge.test.tsx).
- S3: de-duplicate jwt.strategy.spec test #3 (the no-claim→'user' half
  duplicated test #2); keep only the signed actor='agent' claim assertion.
- W2: add keyboard-activation tests for the badge (Enter/Space, unrelated key).
- W3: flip the design doc status to "реализовано (#143)".

Tests:
- new auth-provenance.decorator.spec.ts unit-tests resolveProvenance +
  agentSourceFields.
- new collab-seam test: is_agent user with no claim → actor='agent'
  (Arch A regression guard).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
claude code agent 227
2026-06-24 00:27:03 +03:00
parent 1d54f8ed1c
commit 7705d44fc6
11 changed files with 239 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
apps/server/src/core/auth/strategies/jwt.strategy.spec.ts
View File

@@ -77,31 +77,20 @@ describe('JwtStrategy — provenance derivation', () => {
expect(req.raw.aiChatId).toBeNull();
});
it("does NOT let an 'actor' claim escalate a non-agent user beyond the existing claim semantics", async () => {
// A non-agent user. The only way the token carries actor='agent' is the
// internal AI-chat's server-minted token (the claim cannot be set by a
// client on a plain login). We assert the derivation falls back to the
// claim ONLY when is_agent is false — i.e. an is_agent=false user is never
// forced to 'agent' by anything other than that signed claim, and a plain
// user (no claim) stays 'user'.
it("honors a SIGNED actor='agent' claim on a non-agent user's token (the internal AI-chat path)", async () => {
// A non-agent user (the plain no-claim → 'user' case is covered above). A
// token that DOES carry actor='agent' resolves to 'agent' — BY DESIGN: that
// claim can only exist on a SERVER-MINTED provenance token (the internal AI
// chat), never on a plain login token, because the token is signed with the
// app secret. The guarantee is that a client cannot FORGE this signed claim,
// not that the strategy ignores it. (A plain user still cannot obtain
// 'agent' — they have no way to get such a token.)
const { strategy } = makeStrategy({
id: 'user-1',
isAgent: false,
deactivatedAt: null,
deletedAt: null,
});
const req = makeReq();
// No actor claim (the plain-user login case): stays 'user'.
await strategy.validate(req, accessPayload() as any);
expect(req.raw.actor).toBe('user');
// A token that DOES carry actor='agent' resolves to 'agent' — BY DESIGN:
// that claim can only exist on a SERVER-MINTED provenance token (the internal
// AI chat), never on a plain login token, because the token is signed with
// the app secret. The security guarantee is that a client cannot forge this
// signed claim, NOT that the strategy ignores it. (A plain user therefore
// still cannot obtain 'agent' — they have no way to get such a token.)
const req2 = makeReq();
await strategy.validate(req2, accessPayload({ actor: 'agent', aiChatId: 'chat-1' }) as any);
expect(req2.raw.actor).toBe('agent');

21
apps/server/src/core/auth/strategies/jwt.strategy.ts
View File

@@ -10,6 +10,7 @@ import { SessionActivityService } from '../../session/session-activity.service';
import { FastifyRequest } from 'fastify';
import { extractBearerTokenFromHeader, isUserDisabled } from '../../../common/helpers';
import { ModuleRef } from '@nestjs/core';
import { resolveProvenance } from '../../../common/decorators/auth-provenance.decorator';
@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
@@ -72,18 +73,14 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
}
// Propagate the agent-edit provenance onto the request so REST
// services/controllers can set the 'agent' marker off it. Provenance is
// derived from the SIGNED server-side identity, never from a client body
// field, so a normal user cannot fake an 'agent' badge:
// - An account flagged is_agent (an MCP service account) stamps EVERY write
// as 'agent'. It has no internal ai_chats row, so aiChatId stays null.
// - Otherwise fall back to the actor claim minted into the internal AI
// agent's token (actor='agent' + aiChatId); a normal user token carries
// no claim and resolves to 'user' (unchanged behaviour).
req.raw.actor = user.isAgent
? 'agent'
: ((payload as JwtPayload).actor ?? 'user');
req.raw.aiChatId = (payload as JwtPayload).aiChatId ?? null;
// services/controllers can set the 'agent' marker off it. Derived from the
// SIGNED server-side identity via the shared resolver (also used by the
// collab seam, so the two never drift), never from a client body field — so
// an is_agent service account stamps every REST write made with an access
// token, and a normal user cannot fake an 'agent' badge.
const provenance = resolveProvenance(user, payload as JwtPayload);
req.raw.actor = provenance.actor;
req.raw.aiChatId = provenance.aiChatId;
return { user, workspace };
}