From 06cea1ce0f12dd18ec411d3513f7e2feebb02ba6 Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Sat, 9 May 2026 23:51:16 +0000 Subject: [PATCH] auth-bundle-1 Phase 12 follow-up: in-tree TODO for path-12 deferral MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Self-audit on cbb47aa flagged that the negative-path-#12 deferral (scope_id for nonexistent resource → 404) was acknowledged in the commit message but not in the source. A future operator scanning internal/repository/postgres/auth.go would not learn about the gap. Adds an explicit TODO(bundle-2) comment next to RoleRepository.AddPermission documenting: - what's missing today (no FK between role_permissions.scope_id and the resource tables); - why the gate still works at request time (no rows match the bogus scope so EffectivePermissions returns empty); - the cleaner end-state (HTTP 404 at grant time); - what's required to land it (migration confirming existing rows reference real resources); - the cross-reference to cowork/auth-bundle-1-prompt.md path #12. Cosmetic, single-file change. No test churn. --- internal/repository/postgres/auth.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/internal/repository/postgres/auth.go b/internal/repository/postgres/auth.go index ff04e88..7ef5090 100644 --- a/internal/repository/postgres/auth.go +++ b/internal/repository/postgres/auth.go @@ -217,6 +217,17 @@ func (r *RoleRepository) ListPermissions(ctx context.Context, roleID string) ([] } func (r *RoleRepository) AddPermission(ctx context.Context, g *authdomain.RolePermission) error { + // TODO(bundle-2): Bundle 1 Phase 12 deferral — scope_id is NOT + // currently FK-constrained against the resource tables + // (certificate_profiles, issuers). This means an operator can + // grant a permission at scope_type=profile / scope_id=p-bogus + // without the bogus profile existing; the gate still works + // (no permission rows match the bogus scope at request time) + // but a strict 404 on grant would be cleaner. Adding the FK + // requires a migration that confirms every existing + // role_permissions row references a real resource and is + // tracked as Bundle 2 work. See + // cowork/auth-bundle-1-prompt.md negative-test path #12. var scopeID interface{} if g.ScopeID != nil { scopeID = *g.ScopeID