[EVO-2035] RBAC: object-level agent access + escopo do agent-bot#20
Merged
gomessguii merged 4 commits intoJul 8, 2026
Conversation
added 2 commits
July 7, 2026 12:05
…ss (EVO-2027) Implement verify_agent_access, which was stubbed to always allow: a missing user context now fails closed, agent-bot credentials only reach their own agent, and regular users keep the single-tenant pool access with folder shares flagged as shared access. All session-route call sites pass the authenticated user context. Agent-bot tokens also stop acting as wildcard RBAC credentials: the permission service only honors the bot bypass on request paths scoped to the bot's own agent (path segment or session-id suffix); any other gated route returns 403. The community schema has no agent owner/account column, so the cross-tenant check reduces to these boundaries; integration routers were already gated via RequirePermission (EVO-1956).
…2027) The acceptance criteria ask for a credential-write-without-permission denial; the existing coverage proved the bot scoping and the router contract but not the regular-user 403 through validate_permission.
There was a problem hiding this comment.
Sorry @daniloleonecarneiro, you have reached your weekly rate limit of 500000 diff characters.
Please try again later or upgrade to continue using Sourcery
added 2 commits
July 8, 2026 07:41
…path scoping (EVO-2027) The agent-bot bypass in validate_permission granted any permission on the bot's own agent path, so a leaked runtime key could delete the agent or read/write OAuth credentials. Confine the bypass to an explicit runtime allowlist (agent execute, a2a execute/read/task_management, chat-session read) and fail closed on everything else, including all integration credential actions. Replace the substring path-scope check with canonical segment extraction so an agent id embedded mid-token cannot spoof scope, and make the folder-share lookup fail closed by propagating explicit authorization denials instead of swallowing them into a silent pool-access grant.
The chat WebSocket routes (/ws and /ws-live) authenticate inline and never reach the HTTP RequirePermission gate, so an agent-bot key was not confined to its own agent there. Surface the agent-bot identity from the validated token and reject at the handshake, before any agent work, when the bot key targets a different agent or requests a non-runtime action. The decision reuses the shared path-scope check and runtime allowlist via a new PermissionService.is_agent_bot_permission_allowed helper, so there is one source of truth. Regular-user access is unchanged.
gomessguii
approved these changes
Jul 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Parte processor (FastAPI) do épico [EVO-2035] de auditoria e correção de RBAC.
Sub-issue nesta branch
verify_agent_access(era stubreturn True): semuser_context→ fail-closed 403; credencial de agent-bot só acessa o próprio agente; usuário regular mantém o pool single-tenant com folder-share sinalizado. Os 10 call sites desession_routespassam o contexto.is_agent_botdeixa de ser bypass irrestrito de RBAC — só vale em paths escopados ao próprio agente.Nota estrutural: a community é single-tenant sem coluna de owner em
evo_core_agents, então o "usuário A vs agente da conta B" do AC não existe neste box; o equivalente (bot-A → agente-B) está coberto. Os 12 routers de integração já tinhamRequirePermissionpelo PR #19 (EVO-1956).Testes
test_agent_object_authz.py(13 ex.): fail-closed, bot próprio/alheio, pool, folder-share, escopo de path do bypass, e o 403 de usuário sem permissão em escrita de credencial. Suíte verde salvo 2 falhas + 1 erro de coleta pré-existentes nadevelop.