Skip to content

PR1: cloud auth + identity storage foundation#562

Merged
Alan-TheGentleman merged 20 commits into
feat/cloud-user-token-managementfrom
feat/cloud-user-token-management-storage-auth
Jul 5, 2026
Merged

PR1: cloud auth + identity storage foundation#562
Alan-TheGentleman merged 20 commits into
feat/cloud-user-token-managementfrom
feat/cloud-user-token-management-storage-auth

Conversation

@Alan-TheGentleman

Copy link
Copy Markdown
Collaborator

PR1 — Auth + storage foundation

Additive auth domain + DB-backed identity storage for principal-based cloud auth. No server/dashboard/CLI wiring yet.

  • Auth (internal/cloud/auth): principal domain types, roles, managed-token generation, dedicated-pepper HMAC hasher/verifier, storage-agnostic managed-token lookup, PrincipalResolver (managed + legacy).
  • Storage (internal/cloud/cloudstore): additive cloud_principals, cloud_human_users, cloud_principal_tokens, cloud_project_grants, cloud_auth_audit_log (all IF NOT EXISTS); CRUD for principals/users/tokens/grants; hash-only token persistence; last-active-admin guard (advisory lock); auth audit with sensitive-key redaction.

Chain Context

  • Starts: the chain (first code slice after the OpenSpec plan).
  • Ends: storage + auth contracts ready for server wiring.
  • Depends on: tracker branch only.
  • Follow-up: PR2 wires principal-aware sync auth.
  • Out of scope: cloudserver/dashboard/CLI, legacy behavior changes.
  • Review budget: ~1,980 changed lines (auth + storage + Postgres-gated tests). Storage-only, no request-path behavior change.
main
└─ feat/cloud-user-token-management (tracker, draft)
   └─ 📍 PR1  storage-auth
      └─ PR2 → PR3A → PR3B → PR3C → PR4 → PR5 → PR6

Tracker: #561

Copilot AI review requested due to automatic review settings July 3, 2026 20:50
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 32cc993f-27df-4ae7-b2eb-b5784c82e518

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/cloud-user-token-management-storage-auth

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds the initial building blocks for principal-based cloud authentication and DB-backed identity storage, without wiring into request paths yet. This establishes the auth domain model (principals + managed tokens) and the additive cloudstore schema/CRUD needed for follow-up server integration slices.

Changes:

  • Added internal/cloud/auth foundation types for principals/roles/sources plus managed-token generation and HMAC-based hashing/verification with a resolver that supports managed + legacy env tokens.
  • Extended internal/cloud/cloudstore with additive Postgres migrations and new identity CRUD for principals, human users, token metadata, project grants, and auth audit events (with sensitive-key rejection).
  • Added Postgres-gated integration tests for identity storage and migrations, plus updates to the OpenSpec task/progress artifacts.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
openspec/changes/cloud-user-token-management/tasks.md Marks PR1 tasks as complete in the OpenSpec task list.
openspec/changes/cloud-user-token-management/apply-progress.md Adds progress log describing PR1A/PR1B scope, tests, and remaining work.
internal/cloud/cloudstore/identity.go Introduces identity storage DTOs + CRUD helpers, last-admin guard, and auth audit metadata filtering.
internal/cloud/cloudstore/identity_storage_test.go Adds Postgres-gated integration tests + a few pure helper tests for normalization/metadata filtering.
internal/cloud/cloudstore/cloudstore.go Adds additive migrations for principals/users/tokens/grants/audit tables and indexes.
internal/cloud/auth/foundation.go Adds principal domain model, managed token generator, token hasher/verifier, and resolver (managed + legacy).
internal/cloud/auth/foundation_test.go Adds unit tests covering token format/entropy, hasher/verifier behavior, resolver behavior, and legacy compatibility.
internal/cloud/auth/auth.go Switches legacy token equality check to a constant-time hash-based comparison helper.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

}
res, err := cs.db.ExecContext(ctx, `
UPDATE cloud_principal_tokens
SET revoked_at = COALESCE(revoked_at, NOW()), revoked_by_principal_id = $2, revocation_reason = $3
Comment on lines +430 to +441
func (cs *CloudStore) RevokeProjectGrant(ctx context.Context, principalID, project string) error {
if cs == nil || cs.db == nil {
return fmt.Errorf("cloudstore: not initialized")
}
normalized := normalizeCloudProjectGrant(project)
res, err := cs.db.ExecContext(ctx, `DELETE FROM cloud_project_grants WHERE principal_id = $1 AND project = $2`, strings.TrimSpace(principalID), normalized)
if err != nil {
return fmt.Errorf("cloudstore: revoke project grant: %w", err)
}
_, _ = res.RowsAffected()
return nil
}
Comment on lines +567 to +576
func requireAffected(res sql.Result, label string) error {
rows, err := res.RowsAffected()
if err != nil {
return nil
}
if rows == 0 {
return fmt.Errorf("cloudstore: %s not found", label)
}
return nil
}
Comment on lines +691 to +712
switch reflected.Kind() {
case reflect.Map:
if reflected.Type().Key().Kind() != reflect.String {
return nil
}
for _, key := range reflected.MapKeys() {
keyText := key.String()
if sensitiveAuthAuditKey(keyText) {
return fmt.Errorf("%w: %s", ErrSensitiveAuditMetadata, keyText)
}
if err := rejectSensitiveAuthAuditValue(reflected.MapIndex(key).Interface()); err != nil {
return err
}
}
case reflect.Slice, reflect.Array:
for i := 0; i < reflected.Len(); i++ {
if err := rejectSensitiveAuthAuditValue(reflected.Index(i).Interface()); err != nil {
return err
}
}
}
return nil
Comment on lines +20 to +26
dsn := os.Getenv("CLOUDSTORE_TEST_DSN")
if dsn == "" {
t.Skip("CLOUDSTORE_TEST_DSN not set — skipping integration test (requires Postgres)")
}
if !strings.HasPrefix(dsn, "postgres://") && !strings.HasPrefix(dsn, "postgresql://") {
t.Skip("test requires URL-style CLOUDSTORE_TEST_DSN so a per-test search_path can be attached")
}
@Alan-TheGentleman Alan-TheGentleman added the type:feature New feature label Jul 5, 2026
Merge according to the feature-branch-chain order for cloud user token management.
Merge according to the feature-branch-chain order for cloud user token management.
Merge according to the feature-branch-chain order for cloud user token management.
Merge according to the feature-branch-chain order for cloud user token management.
Merge according to the feature-branch-chain order for cloud user token management.
Merge according to the feature-branch-chain order for cloud user token management.
Merge according to the feature-branch-chain order for cloud user token management.
@Alan-TheGentleman Alan-TheGentleman merged commit 1efa83c into feat/cloud-user-token-management Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

type:feature New feature

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants