mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-05 13:29:44 +02:00
* feat(agents): gate private-agent surfaces with allowed_principals predicate
Tighten chat/@-mention, history, edit, and delete entry points so private
agents are only reachable by their owner or workspace owner/admin. Agent-to-
agent traffic still bypasses the gate so A2A collaboration keeps working.
- New canAccessPrivateAgent predicate in handler/agent_access.go; used by
comment.enqueueMentionedAgentTasks (replacing the inline check), GetAgent,
ListAgents (filter), ListAgentTasks, GetWorkspaceAgentRunCounts /
Activity30d / TaskSnapshot (workspace-wide aggregations no longer leak
private-agent existence + counts), chat.CreateChatSession,
chat.SendChatMessage (re-checks on every send so role changes can't leave
a stale session as a back-door), and autopilot.shouldSkipDispatch
(caller = autopilot creator).
- allowed_principals is computed inline as {agent.owner_id} ∪ workspace
owner/admin members. No new table — manual config is intentionally not
exposed in v1; the predicate is the extension seam.
- Front-end agent detail page distinguishes 403 (private agent the caller
can't access) from 404 (deleted/missing) and renders a "no access"
placeholder with a back-to-agents button.
- Go tests cover the pure predicate matrix + the four protected surfaces;
vitest passes for the affected views.
Co-authored-by: multica-agent <github@multica.ai>
* feat(agents): gate issue assignment with the private-agent predicate
Refactor validateAssigneePair to call the shared canAccessPrivateAgent
helper. This closes the back door where a plain member could assign a
private agent to an issue and let normal task dispatch run it, side-
stepping the chat / @-mention gate. Agent callers (X-Agent-ID) bypass
so A2A delegation onto a private assignee still works.
Add an integration test covering all three callers (workspace owner,
agent owner, plain member).
Co-authored-by: multica-agent <github@multica.ai>
* fix(agents): close three private-agent gate bypasses found in PR review
1. X-Agent-ID forgery (resolveActor): require X-Task-ID alongside
X-Agent-ID before trusting the agent identity. Without this a plain
workspace member could set X-Agent-ID to any visible agent UUID and
short-circuit the gate to "actor=agent, allow". Daemons already
pair the two headers, so legitimate A2A traffic is unaffected.
2. Chat history read path (chat.go): GetChatSession / ListChatMessages /
GetPendingChatTask / MarkChatSessionRead now go through a new
gateChatSessionForUser helper that re-applies canAccessPrivateAgent
after the ownership check, so a session creator whose role was later
downgraded loses transcript access. ListChatSessions and
ListPendingChatTasks filter their result sets by the same predicate.
3. Cross-workspace @mention (comment.enqueueMentionedAgentTasks):
resolve the mentioned agent via GetAgentInWorkspace scoped to the
issue's workspace so a UUID belonging to a different workspace's
private agent can't slip past the gate (the gate was being applied
against the current workspace's role table, which is the wrong
one).
Regression tests cover each bypass, plus an update to the resolveActor
unit test to reflect the new "X-Agent-ID without X-Task-ID falls back
to member" contract.
Co-authored-by: multica-agent <github@multica.ai>
* test(handler): seed X-Task-ID alongside X-Agent-ID in existing agent-caller tests
After tightening resolveActor to require both headers (X-Agent-ID +
X-Task-ID) for the "agent" actor identity, three existing tests that
set only X-Agent-ID started failing because their requests now resolve
to "member" instead of "agent". Add createHandlerTestTaskForAgent
helper and seed a task per agent-caller assertion. Also patch
TestAgentExplicitMentionStillTriggers — it still passed only because
the @mention path doesn't care about author type for member callers,
but the test claims to exercise the agent path, so make it faithful.
Co-authored-by: multica-agent <github@multica.ai>
* test(handler): finish X-Task-ID seeding + fix cross-workspace mention test schema
The previous CI run still failed in two places:
1. server/cmd/server integration tests — postCommentAsAgent → authRequestWithAgent
only set X-Agent-ID, so resolveActor downgraded the request to "member"
and the on_comment chain produced the wrong task counts. Fix:
authRequestWithAgent now also sets X-Task-ID, fetched or seeded by a new
ensureAgentTask(agentID) helper.
2. TestMentionAgent_RejectsCrossWorkspaceAgentUUID's hand-crafted comment
INSERT was missing comment.workspace_id, which migration 025 made
NOT NULL. Pass testWorkspaceID into the seed row.
Build + vet clean locally; both packages compile.
Co-authored-by: multica-agent <github@multica.ai>
---------
Co-authored-by: multica-agent <github@multica.ai>
76 lines
2.5 KiB
Go
76 lines
2.5 KiB
Go
package handler
|
||
|
||
import (
|
||
"context"
|
||
|
||
"github.com/multica-ai/multica/server/internal/util"
|
||
db "github.com/multica-ai/multica/server/pkg/db/generated"
|
||
)
|
||
|
||
// canAccessPrivateAgent gates the four protected surfaces for private
|
||
// agents: chat / @-mention dispatch, viewing the agent's history, editing
|
||
// configuration, and deletion.
|
||
//
|
||
// Public agents are unrestricted — the predicate returns true unconditionally.
|
||
//
|
||
// Agent-to-agent traffic is always allowed (actorType == "agent"); this is
|
||
// what preserves A2A collaboration even with private agents. The trust
|
||
// boundary is at member↔agent, not agent↔agent.
|
||
//
|
||
// For members, the implicit allowed_principals set is computed inline as:
|
||
// {agent.owner_id} ∪ workspace owner/admin members. Manual configuration of
|
||
// allowed_principals is not exposed in v1; future work can extend this set
|
||
// without changing call sites.
|
||
func (h *Handler) canAccessPrivateAgent(ctx context.Context, agent db.Agent, actorType, actorID, workspaceID string) bool {
|
||
if agent.Visibility != "private" {
|
||
return true
|
||
}
|
||
if actorType == "agent" {
|
||
return true
|
||
}
|
||
if uuidToString(agent.OwnerID) == actorID {
|
||
return true
|
||
}
|
||
member, err := h.getWorkspaceMember(ctx, actorID, workspaceID)
|
||
if err != nil {
|
||
return false
|
||
}
|
||
return roleAllowed(member.Role, "owner", "admin")
|
||
}
|
||
|
||
// memberAllowedForPrivateAgent is the pure predicate used by both
|
||
// canAccessPrivateAgent and the ListAgents filter loop. Caller must have
|
||
// already confirmed agent.Visibility == "private".
|
||
func memberAllowedForPrivateAgent(agent db.Agent, userID, role string) bool {
|
||
if roleAllowed(role, "owner", "admin") {
|
||
return true
|
||
}
|
||
return uuidToString(agent.OwnerID) == userID
|
||
}
|
||
|
||
// accessibleAgentIDs returns the set of agent IDs in the workspace the actor
|
||
// is allowed to see, for use by workspace-wide aggregation endpoints
|
||
// (run counts, activity histograms, task snapshots) that need to filter out
|
||
// private agents the member can't access. Returns nil and false on error.
|
||
func (h *Handler) accessibleAgentIDs(ctx context.Context, workspaceID, actorType, actorID, role string) (map[string]struct{}, bool) {
|
||
wsUUID, err := util.ParseUUID(workspaceID)
|
||
if err != nil {
|
||
return nil, false
|
||
}
|
||
agents, err := h.Queries.ListAllAgents(ctx, wsUUID)
|
||
if err != nil {
|
||
return nil, false
|
||
}
|
||
allowed := make(map[string]struct{}, len(agents))
|
||
for _, a := range agents {
|
||
if a.Visibility == "private" && actorType == "member" {
|
||
if !memberAllowedForPrivateAgent(a, actorID, role) {
|
||
continue
|
||
}
|
||
}
|
||
allowed[uuidToString(a.ID)] = struct{}{}
|
||
}
|
||
return allowed, true
|
||
}
|
||
|