Skip to content

[EVO-2035] RBAC: object-level agent access + escopo do agent-bot#20

Merged
gomessguii merged 4 commits into
developfrom
danilocarneiro/evo-2035-epico-auditoria-e-correcao-de-rbac-com-cobertura-seguranca-e
Jul 8, 2026
Merged

[EVO-2035] RBAC: object-level agent access + escopo do agent-bot#20
gomessguii merged 4 commits into
developfrom
danilocarneiro/evo-2035-epico-auditoria-e-correcao-de-rbac-com-cobertura-seguranca-e

Conversation

@daniloleonecarneiro

Copy link
Copy Markdown
Contributor

Parte processor (FastAPI) do épico [EVO-2035] de auditoria e correção de RBAC.

Sub-issue nesta branch

  • EVO-2027 — implementa verify_agent_access (era stub return True): sem user_context → fail-closed 403; credencial de agent-bot só acessa o próprio agente; usuário regular mantém o pool single-tenant com folder-share sinalizado. Os 10 call sites de session_routes passam o contexto. is_agent_bot deixa de ser bypass irrestrito de RBAC — só vale em paths escopados ao próprio agente.

Nota estrutural: a community é single-tenant sem coluna de owner em evo_core_agents, então o "usuário A vs agente da conta B" do AC não existe neste box; o equivalente (bot-A → agente-B) está coberto. Os 12 routers de integração já tinham RequirePermission pelo PR #19 (EVO-1956).

Testes

test_agent_object_authz.py (13 ex.): fail-closed, bot próprio/alheio, pool, folder-share, escopo de path do bypass, e o 403 de usuário sem permissão em escrita de credencial. Suíte verde salvo 2 falhas + 1 erro de coleta pré-existentes na develop.

Danilo Leone added 2 commits July 7, 2026 12:05
…ss (EVO-2027)

Implement verify_agent_access, which was stubbed to always allow: a
missing user context now fails closed, agent-bot credentials only reach
their own agent, and regular users keep the single-tenant pool access
with folder shares flagged as shared access. All session-route call
sites pass the authenticated user context.

Agent-bot tokens also stop acting as wildcard RBAC credentials: the
permission service only honors the bot bypass on request paths scoped
to the bot's own agent (path segment or session-id suffix); any other
gated route returns 403.

The community schema has no agent owner/account column, so the
cross-tenant check reduces to these boundaries; integration routers
were already gated via RequirePermission (EVO-1956).
…2027)

The acceptance criteria ask for a credential-write-without-permission
denial; the existing coverage proved the bot scoping and the router
contract but not the regular-user 403 through validate_permission.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @daniloleonecarneiro, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

Danilo Leone added 2 commits July 8, 2026 07:41
…path scoping (EVO-2027)

The agent-bot bypass in validate_permission granted any permission on the
bot's own agent path, so a leaked runtime key could delete the agent or
read/write OAuth credentials. Confine the bypass to an explicit runtime
allowlist (agent execute, a2a execute/read/task_management, chat-session
read) and fail closed on everything else, including all integration
credential actions.

Replace the substring path-scope check with canonical segment extraction
so an agent id embedded mid-token cannot spoof scope, and make the
folder-share lookup fail closed by propagating explicit authorization
denials instead of swallowing them into a silent pool-access grant.
The chat WebSocket routes (/ws and /ws-live) authenticate inline and never
reach the HTTP RequirePermission gate, so an agent-bot key was not confined
to its own agent there. Surface the agent-bot identity from the validated
token and reject at the handshake, before any agent work, when the bot key
targets a different agent or requests a non-runtime action. The decision
reuses the shared path-scope check and runtime allowlist via a new
PermissionService.is_agent_bot_permission_allowed helper, so there is one
source of truth. Regular-user access is unchanged.
@gomessguii gomessguii merged commit 5fa07fa into develop Jul 8, 2026
4 checks passed
@gomessguii gomessguii deleted the danilocarneiro/evo-2035-epico-auditoria-e-correcao-de-rbac-com-cobertura-seguranca-e branch July 8, 2026 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants