Merged
Conversation
- Add config.toml with encrypted_keyfile backend (DevelopmentSigningBackend) - Add verifier-config.toml with same setup, require_dpop=false for demo - Add standalone redis service on port 6380 to docker-compose (separate from cluster) - Update registry and verifier config.rs to load optional config file before env vars - Improve dev.sh postgres wait logic using pg_isready instead of fixed sleep - Add sqlx migrate run to dev.sh startup sequence
Create current month's audit partition if it doesn't exist, catching 42P07 (already exists) error. Handles date-shifted environments where base migration partitions (2025-01/02) would cause audit writes to fail.
Allow localhost:3000 and localhost:3001 origins with credentials enabled. Add x-csrf-token and agentdpop to allowed headers for UI <-> registry communication.
Update GrantResponse to include ui-expected fields: - grant_id (alias for id) - agent_name, service_provider_name (from joined tables) - requested_capabilities, requested_envelope (aliases for consistency) - created_at from issued_at Extend GrantRow with agent_name and service_provider_name from joins. Add get_grant_row() helper and update queries with proper table joins.
Add GET /v1/agents list endpoint returning AgentSummary objects. Refactor get_agent() to fetch full agent details with nested grants. Add AgentResponse matching ui's AgentDetails type. Add GrantSummaryResponse for grants within agent details. Add AgentSummaryResponse for list endpoint. Add database queries: list_agents, count_active_grants, list_grants_for_agent.
Change Capability type from uppercase ('Read', 'Write') to lowercase
('read', 'write', 'transact', 'delete', 'custom') matching rust serde.
Update capabilities.ts switch statements to use lowercase types.
Widen GrantSummary.status from union type to string for backend compatibility.
Fix all tests to use lowercase capability types.
Update approval-ui api.ts: - Change REGISTRY_URL from process.env to hardcoded http://localhost:8080 - Update approveGrant() signature to send approved_by, approval_nonce, approval_signature Update ApprovalPage.tsx: - Remove WebAuthn imports - Implement demo-mode approval generating random nonce and 64-byte hex signature - Use fixed demo user UUID for approved_by Add register-demo-agent.py script: - Generate Ed25519 keypairs using PyNaCl - Build signed manifests with canonical JSON matching rust serde_json - Seed human principal and service providers directly via psql - Create pending grant request visible in approval ui
Add grantStatus mapping Record for all backend grant statuses: - approved (green) - pending (yellow) - denied (red) - revoked (gray) - expired (gray) Add fallback handling for unknown statuses with default styling. Update status display logic to use mapping instead of assuming active/revoked/expired.
- new crates/registry/src/demo.rs with deterministic UUIDs and seed data - add DemoConfig to RegistryConfig with demo.enabled flag - seed human principal and service provider on startup if enabled
- make IssueTokenRequest fields optional (agent_id, service_provider_id, etc) - look up grant details from DB when simplified request (grant_id only) received - add dpop_thumbprint field for SDK compatibility - add GrantNotApproved error variant (409 CONFLICT) - add access_token and token_type fields to TokenResponse for SDK
- new services/demo-agent with full agent registration and grant flow - embedded mock service provider on port 9090 - demonstrates capability enforcement: 3 allowed, 1 denied - uses deterministic Ed25519 keypair from demo seed - add demo-agent to workspace members
- new DashboardPage.tsx with Grafana iframe in kiosk mode - two tabs: token verification SLO and circuit breakers - graceful error state when Grafana unreachable - wire up /dashboard route in App.tsx and server.ts - add Grafana embedding env vars to docker-compose (GF_SECURITY_ALLOW_EMBEDDING, GF_AUTH_ANONYMOUS_ENABLED)
- add demo-agent to cargo build and start in dev.sh - 5s delay before starting demo agent to allow registry readiness - update service status display with mock service and Grafana URLs - delete scripts/register-demo-agent.py (replaced by built-in demo agent)
- accept base64url-encoded signatures (SignedManifest format) in addition to hex - add serde aliases for grant request fields (requested_capabilities, requested_envelope) - allows SDK and demo agent to successfully register and request grants
- move mock service provider from port 9090 to 9095 (Prometheus uses 9090) - fix Grafana dashboard UIDs to match actual dashboard files (agentauth-verify-slo, agentauth-circuit-breakers) - update dev.sh banner to show correct mock service port
- add human_principal_id field to GrantResponse so it can be sent to UI - include it in both grant response builder functions - use actual grant.human_principal_id in approval page instead of hardcoded UUID - resolves FK violation when approving grants
- new db::get_pending_grant_id() function to find most recent pending grant - expose pending_grant_id in AgentSummaryResponse (omitted from JSON when None) - add pending_grant_id to AgentSummary and GrantRequest frontend types - restructure AgentRow card: clickable info area + amber APPROVE button for pending - show PENDING APPROVAL badge with pulse animation on agent names - add APPROVE button to GrantRow for pending grants on agent detail page
- handlers/tokens.rs: use String::into_bytes method reference instead of closure - middleware.rs: use HeaderValue::from_static instead of parse().expect() - demo-agent/main.rs: move TokenResp struct before function, remove redundant match arm, use inline format variables, change &Option<T> to Option<&T> - registry/src/main.rs: use DatabaseError::code method reference instead of closure
check for existing pending grant before creating a new one so that multiple consecutive requests for the same agent+service_provider return the same grant (idempotent across service restarts)
check decoded length (64 bytes for ed25519) to correctly distinguish between a 128-char hex string and base64url, since both are valid base64url lengths but produce different byte counts (64 vs 96 bytes)
add `id` field as primary agent identifier (mirrors agent_id) and `is_active` boolean for test expectations, complementing the status string field
- correct postgres credentials from agentauth to agentauth_dev - use standalone redis (port 6380) instead of cluster node (port 6399) - add missing demo field to RegistryConfig struct initialization
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
services/demo-agent/) — a Rust binary that registers with the registry, requests a capability grant, waits for human approval, issues a token, and makes authenticated requests against an embedded mock service provider on port 9095. Results show 3 requests allowed (Read/Write/Delete) and 1 denied (Transact — not in grant), directly demonstrating how permissions constrain agent behavior.[demo] enabled = trueinconfig.toml, the registry seeds a human principal and service provider on startup using deterministic UUIDs, so no manual setup is needed.{grant_id}payload the SDK sends (looking up grant details from the DB), signature decoding accepts base64url (matchingSignedManifest), and grant request field names are aliased to match the SDK's naming conventions./dashboardroute embedding Grafana in kiosk mode with two sub-tabs (Token Verification SLO, Circuit Breakers). Grafana is configured for anonymous viewer access and iframe embedding indocker-compose.yml.dev.shintegration — builds and starts the demo agent alongside the registry, verifier, and approval UI. Removesscripts/register-demo-agent.py.