Skip to content

feat: add control plane principal scope#101

Merged
matdev83 merged 3 commits into
mainfrom
feat/control-plane-principal-scope
Jul 2, 2026
Merged

feat: add control plane principal scope#101
matdev83 merged 3 commits into
mainfrom
feat/control-plane-principal-scope

Conversation

@matdev83

@matdev83 matdev83 commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Summary

  • add canonical principal scope values and SDK/context propagation helpers
  • bridge auth scope through local auth, HTTP auth, runtime secure sessions, aux requests, usage and traffic observation
  • update control-plane-principal-scope spec tasks and dogfood docs

Verification

  • go test ./internal/core/auth ./internal/core/auxreq ./internal/core/config ./internal/core/execctx ./internal/core/runtime ./internal/stdhttp/auth ./pkg/lipsdk/auth ./pkg/lipsdk/traffic ./pkg/lipsdk/transport/httpauth ./pkg/lipsdk/usage ./pkg/lipsdk/scope ./internal/archtest

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@matdev83, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 30 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d858c02d-b1e4-4bb1-834d-fd876bebf51a

📥 Commits

Reviewing files that changed from the base of the PR and between 76eefdd and 1bcb689.

📒 Files selected for processing (10)
  • internal/core/auth/scope.go
  • internal/core/auth/scope_test.go
  • internal/core/auxreq/scope_test.go
  • internal/core/config/access_auth_local_attribution_test.go
  • internal/core/config/access_auth_validate.go
  • internal/core/config/access_auth_validate_internal_test.go
  • internal/stdhttp/auth/adapter.go
  • internal/stdhttp/auth/scope_bridge_test.go
  • pkg/lipsdk/scope/context.go
  • pkg/lipsdk/scope/view_test.go
📝 Walkthrough

Walkthrough

This PR introduces a protocol-neutral PrincipalScopeView attribution model (pkg/lipsdk/scope) with safety sanitization, and threads it through auth decisions, execution context, runtime traffic/usage observability, HTTP auth middleware, local authenticators, and auxiliary request handling, backed by extensive tests and supporting config/documentation updates.

Changes

Principal Scope Attribution

Layer / File(s) Summary
Scope value/view core types
pkg/lipsdk/scope/value.go, pkg/lipsdk/scope/view.go, pkg/lipsdk/scope/doc.go, pkg/lipsdk/scope/*_test.go
Defines presence-aware Value type and PrincipalScopeView struct with SubjectKind/Origin enums, Clone(), and Principal() projection.
Scope context helpers
pkg/lipsdk/scope/context.go, pkg/lipsdk/transport/httpauth/context.go, related tests
Adds WithScope/ScopeFromContext for storing/retrieving cloned scopes on context.Context, plus transport aliases.
SDK contract extensions
pkg/lipsdk/auth/decision.go, pkg/lipsdk/auth/events.go, pkg/lipsdk/execview/views.go, pkg/lipsdk/transport/httpauth/result.go, pkg/lipsdk/traffic/*.go, pkg/lipsdk/usage/observe.go, tests
Adds optional Scope fields to Decision, AuthDecisionEvent, AuthenticationResult, Observation/CaptureMeta, and usage.Event.
BuildScope / SanitizeScope
internal/core/auth/scope.go, internal/core/auth/errors.go, tests
Implements BuildScope, ScopeFromLegacyPrincipal, and SanitizeScope with new error variables and credential-safety checks.
Local authenticator attribution wiring
internal/core/auth/local_apikey*.go, internal/core/auth/local_noop*.go, internal/core/config/access_auth_*.go, tests
Builds scope from configured attribution in local API key and no-op authenticators, validates attribution fields, and maps config-layer attribution.
execctx Views scope snapshot
internal/core/execctx/views.go, views_scope_test.go
Adds Scope field to Views, deep-copies it via FromContext.
Runtime scope resolution and propagation
internal/core/runtime/scope_resolver.go, executor_prepare_secure.go, executor_open_attempt.go, attempt_stream.go, secure_session.go, internal/core/auxreq/client.go, tests
Resolves request scope with precedence rules, wires it into secure session, executor attempts, traffic/usage emission, and auxiliary request contexts.
HTTP auth adapter/middleware bridging
internal/stdhttp/auth/adapter.go, internal/stdhttp/auth/middleware.go, tests
Bridges auth decisions into evidence-safe scope, renames EnsureContextPrincipal to EnsureContextIdentity, and propagates scope through middleware.
Architecture tests and docs
internal/archtest/scope_boundary_test.go, docs/dogfood-local.md, .kiro/specs/.../tasks.md
Enforces scope package/backends dependency boundaries and updates documentation/spec verification notes.

Estimated code review effort: 4 (Complex) | ~75 minutes

Possibly related PRs

  • matdev83/go-llm-interactive-proxy#6: Extends the local API key and no-op authenticator implementations introduced there to attach and sanitize authoritative scope attribution.
🚥 Pre-merge checks | ✅ 8
✅ Passed checks (8 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise, uses a conventional prefix, and accurately summarizes the main scope-related feature work.
Description check ✅ Passed The description clearly matches the changeset and summarizes the scope propagation, docs, and verification updates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
No Secrets ✅ Passed Scanned the modified auth/scope/transport files; they add protocol labels and safe metadata only, with no hardcoded secrets, keys, passwords, or sensitive URLs.
Context Propagation ✅ Passed Context/scope is cloned and propagated through middleware, auxreq, executor, and observers; no new goroutines were added, and cancellation detachment is limited to cleanup/recording paths.
No Accidental Public Api Break ✅ Passed Public changes are additive, and the touched APIs explicitly document legacy/optional compatibility; no exported removals or signature breaks were found.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Fix the 5 golangci-lint issues that failed the QA workflow: forcetypeassert on the auxreq.Client type assertions, modernize (slices.ContainsFunc for roles sanitization and reflect.Type.Fields iterator in the view test), and staticcheck QF1011 replaced with a compile-time guard. No behavior change.

Co-authored-by: Cursor <cursoragent@cursor.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)
internal/stdhttp/auth/adapter.go (1)

96-133: 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Clear d.Scope before renderer hooks. internal/stdhttp/auth/adapter.go:106-133 The built-in renderer ignores Decision.Scope, but callRenderer still passes the full decision to the public AuthErrorRenderer hook. If a custom renderer inspects Decision.Scope, the unsafe scope from bridgeScope can reach the response path. d.Scope = nil here keeps the extension point safe.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/stdhttp/auth/adapter.go` around lines 96 - 133, Clear the decision
scope before any renderer hook is invoked in the auth adapter flow. In the
bridgeScope/authDecisionEvent path, if bridgeScope returns an error and d is
downgraded to deny, explicitly set d.Scope to nil before calling p.callRenderer
so custom AuthErrorRenderer implementations cannot see unsafe scope material.
Keep the existing allow/challenge/deny handling in adapter.go, but ensure the
sanitized decision is what reaches the renderer.
pkg/lipsdk/traffic/observe.go (1)

63-73: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

CaptureMeta is no longer comparable.

Adding Scope scope.PrincipalScopeView makes this exported SDK type non-comparable because PrincipalScopeView contains slices and maps. Any downstream code that uses CaptureMeta with == or as a map key will stop compiling. If comparability is meant to remain part of the contract, keep Scope out of the value type (for example, store a pointer or a separate wrapper).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/lipsdk/traffic/observe.go` around lines 63 - 73, CaptureMeta became
non-comparable after adding the Scope field, so downstream uses with == or as
map keys will break. Update the CaptureMeta type in observe.go to preserve
comparability by removing the direct scope.PrincipalScopeView value field and
replacing it with a comparable alternative such as a pointer or moving Scope
into a separate wrapper type. Keep the exported API compatible by ensuring
CaptureMeta itself remains comparable.

Source: Path instructions

pkg/lipsdk/usage/observe.go (1)

11-26: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

usage.Event no longer stays comparable. Adding Scope scope.PrincipalScopeView makes the exported type non-comparable, so downstream code that uses == or map keys with usage.Event will stop compiling. If this is intentional, call out the API break; otherwise keep Scope behind a pointer or another comparable wrapper.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/lipsdk/usage/observe.go` around lines 11 - 26, usage.Event has become
non-comparable because Event now embeds Scope scope.PrincipalScopeView, which
can break downstream equality checks and map keys; update the Event struct to
preserve comparability by storing Scope behind a comparable indirection (for
example, a pointer or other comparable wrapper) or, if the API break is
intended, adjust the exported contract accordingly. Make the fix in usage.Event
in observe.go and ensure any code constructing or reading Event still handles
Scope correctly.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/core/auth/scope.go`:
- Around line 97-166: The credential filter in SanitizeScope is too narrow,
since looksCredentialLike only matches a small set of exact substrings and
misses common raw secret formats. Broaden the heuristic in looksCredentialLike
to catch additional secret-like values such as JWT-shaped strings, API key
prefixes, and separator variants like password: or secret=, or explicitly
tighten the SanitizeScope doc comment to state it is best-effort only. Keep the
changes centered on SanitizeScope, looksCredentialLike, and
credentialLikePatterns so callers don’t over-rely on this gate.
- Around line 39-50: BuildScope currently lets the trusted-scope path succeed
even when the resulting Scope has no real Principal.ID, which violates the same
identity requirement enforced by the legacy-principal branch. Update BuildScope
in scope.go to validate the cloned trusted scope after SanitizeScope and return
ErrNoIdentity when s.Principal() is empty, matching the behavior already used
for the legacy path. Add or update a scope_test.go case around BuildScope to
cover the trusted-scope-without-identity scenario and assert it fails with
ErrNoIdentity.

In `@internal/core/config/access_auth_local_attribution_test.go`:
- Around line 147-167: The test named
TestValidateAuthLocalAPIKeyRecords_attributionConverted is bypassing the config
conversion path and validating core records directly, so it does not exercise
toCore() or config.ValidateAuthLocalAPIKeyRecords. Update the test to call
config.ValidateAuthLocalAPIKeyRecords with the local API key attribution fixture
and assert the resulting core auth record behavior indirectly, rather than
manually constructing coreauth.LocalAPIKeyRecord. Make sure the test verifies
the full conversion path, including fields like AuthMethod, OrganizationID,
WorkspaceID, ProjectID, DepartmentID, CostCenterID, PolicyLabels, and
Attribution.

In `@internal/core/config/access_auth_validate.go`:
- Around line 93-107: The issue is that AuthLocalAttribution.toCore() passes
Roles, SafeClaims, and PolicyLabels by reference, letting
coreauth.LocalAttribution alias mutable config state. Update toCore() to
deep-copy those slice/map fields before returning, and verify
NewLocalAPIKeyAuthenticator in local_apikey.go does not keep the shared
references. Keep the fix centered on AuthLocalAttribution.toCore and the
LocalAPIKeyAuthenticator constructor so later mutations cannot bypass
validateLocalAttribution.

In `@internal/stdhttp/auth/adapter.go`:
- Around line 102-108: The forced deny path in the auth adapter is reusing any
preexisting ReasonCode, which can leave a stale Allow-era code attached to an
unsafe-scope rejection. Update the bridged.err branch in auth/adapter.go so that
when d.Outcome is set to auth.OutcomeDeny, d.ReasonCode is also reset to the
unsafe-scope value unconditionally (or otherwise cleared before assigning it),
ensuring defaultTerminalHTTPStatus and the rendered error always reflect the
actual unsafe-scope denial.

In `@pkg/lipsdk/scope/context.go`:
- Around line 5-7: The context key definition in ctxKey/keyScope uses a magic
iota offset without any local functional need. Update keyScope in context.go to
use a plain iota unless there is a real cross-package key registry convention;
if the offset must remain, add a short comment near keyScope explaining the
shared-ID convention. Keep the change focused on the ctxKey and keyScope symbols
so the intent is clear.

---

Outside diff comments:
In `@internal/stdhttp/auth/adapter.go`:
- Around line 96-133: Clear the decision scope before any renderer hook is
invoked in the auth adapter flow. In the bridgeScope/authDecisionEvent path, if
bridgeScope returns an error and d is downgraded to deny, explicitly set d.Scope
to nil before calling p.callRenderer so custom AuthErrorRenderer implementations
cannot see unsafe scope material. Keep the existing allow/challenge/deny
handling in adapter.go, but ensure the sanitized decision is what reaches the
renderer.

In `@pkg/lipsdk/traffic/observe.go`:
- Around line 63-73: CaptureMeta became non-comparable after adding the Scope
field, so downstream uses with == or as map keys will break. Update the
CaptureMeta type in observe.go to preserve comparability by removing the direct
scope.PrincipalScopeView value field and replacing it with a comparable
alternative such as a pointer or moving Scope into a separate wrapper type. Keep
the exported API compatible by ensuring CaptureMeta itself remains comparable.

In `@pkg/lipsdk/usage/observe.go`:
- Around line 11-26: usage.Event has become non-comparable because Event now
embeds Scope scope.PrincipalScopeView, which can break downstream equality
checks and map keys; update the Event struct to preserve comparability by
storing Scope behind a comparable indirection (for example, a pointer or other
comparable wrapper) or, if the API break is intended, adjust the exported
contract accordingly. Make the fix in usage.Event in observe.go and ensure any
code constructing or reading Event still handles Scope correctly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: c6ee3c5d-2b6c-4d68-a7cf-50afc5942a74

📥 Commits

Reviewing files that changed from the base of the PR and between 6d4c88b and 76eefdd.

📒 Files selected for processing (56)
  • .kiro/specs/control-plane-principal-scope/tasks.md
  • docs/dogfood-local.md
  • internal/archtest/scope_boundary_test.go
  • internal/core/auth/errors.go
  • internal/core/auth/local_apikey.go
  • internal/core/auth/local_apikey_record.go
  • internal/core/auth/local_apikey_scope_test.go
  • internal/core/auth/local_noop.go
  • internal/core/auth/local_noop_scope_test.go
  • internal/core/auth/scope.go
  • internal/core/auth/scope_phase6_attribution_only_test.go
  • internal/core/auth/scope_test.go
  • internal/core/auxreq/client.go
  • internal/core/auxreq/scope_test.go
  • internal/core/config/access_auth_local_attribution_test.go
  • internal/core/config/access_auth_model.go
  • internal/core/config/access_auth_validate.go
  • internal/core/execctx/views.go
  • internal/core/execctx/views_scope_test.go
  • internal/core/runtime/attempt_stream.go
  • internal/core/runtime/attempt_stream_scope_test.go
  • internal/core/runtime/executor_open_attempt.go
  • internal/core/runtime/executor_prepare_secure.go
  • internal/core/runtime/executor_scope_test.go
  • internal/core/runtime/executor_secure_session_test.go
  • internal/core/runtime/scope_phase6_compatibility_test.go
  • internal/core/runtime/scope_phase6_secret_safety_test.go
  • internal/core/runtime/scope_resolver.go
  • internal/core/runtime/scope_resolver_test.go
  • internal/core/runtime/secure_session.go
  • internal/stdhttp/auth/adapter.go
  • internal/stdhttp/auth/adapter_test.go
  • internal/stdhttp/auth/middleware.go
  • internal/stdhttp/auth/middleware_test.go
  • internal/stdhttp/auth/scope_bridge_test.go
  • pkg/lipsdk/auth/decision.go
  • pkg/lipsdk/auth/decision_scope_test.go
  • pkg/lipsdk/auth/events.go
  • pkg/lipsdk/auth/events_scope_test.go
  • pkg/lipsdk/execview/views.go
  • pkg/lipsdk/scope/context.go
  • pkg/lipsdk/scope/context_test.go
  • pkg/lipsdk/scope/doc.go
  • pkg/lipsdk/scope/value.go
  • pkg/lipsdk/scope/value_test.go
  • pkg/lipsdk/scope/view.go
  • pkg/lipsdk/scope/view_test.go
  • pkg/lipsdk/traffic/emit.go
  • pkg/lipsdk/traffic/observe.go
  • pkg/lipsdk/traffic/observe_scope_test.go
  • pkg/lipsdk/transport/httpauth/context.go
  • pkg/lipsdk/transport/httpauth/context_scope_test.go
  • pkg/lipsdk/transport/httpauth/result.go
  • pkg/lipsdk/transport/httpauth/result_scope_test.go
  • pkg/lipsdk/usage/observe.go
  • pkg/lipsdk/usage/observe_scope_test.go
📜 Review details
🧰 Additional context used
📓 Path-based instructions (9)
pkg/lipsdk/**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

pkg/lipsdk/**/*.go: In pkg/lipsdk/, keep plugin SDK, facades, and registration contracts.
Keep public pkg/lipsdk contracts minimal, documented, and versionable.

Files:

  • pkg/lipsdk/auth/decision_scope_test.go
  • pkg/lipsdk/transport/httpauth/context_scope_test.go
  • pkg/lipsdk/transport/httpauth/result_scope_test.go
  • pkg/lipsdk/scope/doc.go
  • pkg/lipsdk/auth/events.go
  • pkg/lipsdk/transport/httpauth/context.go
  • pkg/lipsdk/scope/value.go
  • pkg/lipsdk/execview/views.go
  • pkg/lipsdk/traffic/emit.go
  • pkg/lipsdk/scope/context.go
  • pkg/lipsdk/usage/observe.go
  • pkg/lipsdk/transport/httpauth/result.go
  • pkg/lipsdk/scope/context_test.go
  • pkg/lipsdk/traffic/observe.go
  • pkg/lipsdk/auth/decision.go
  • pkg/lipsdk/scope/value_test.go
  • pkg/lipsdk/usage/observe_scope_test.go
  • pkg/lipsdk/traffic/observe_scope_test.go
  • pkg/lipsdk/auth/events_scope_test.go
  • pkg/lipsdk/scope/view_test.go
  • pkg/lipsdk/scope/view.go
**/*.go

📄 CodeRabbit inference engine (Custom checks)

**/*.go: For server, CLI, worker, or network Go code, ensure context.Context is propagated correctly, cancellation is respected, and new goroutines cannot leak indefinitely.
Do not make accidental public API breaks in Go code: under pkg/** or anywhere exported Go identifiers are changed, warn if the PR changes exported types, function signatures, error behavior, JSON fields, CLI flags, config keys, or documented behavior without clearly explaining the compatibility impact.

Files:

  • pkg/lipsdk/auth/decision_scope_test.go
  • pkg/lipsdk/transport/httpauth/context_scope_test.go
  • internal/core/auxreq/scope_test.go
  • pkg/lipsdk/transport/httpauth/result_scope_test.go
  • pkg/lipsdk/scope/doc.go
  • internal/core/execctx/views_scope_test.go
  • pkg/lipsdk/auth/events.go
  • pkg/lipsdk/transport/httpauth/context.go
  • pkg/lipsdk/scope/value.go
  • internal/stdhttp/auth/adapter_test.go
  • pkg/lipsdk/execview/views.go
  • pkg/lipsdk/traffic/emit.go
  • pkg/lipsdk/scope/context.go
  • internal/archtest/scope_boundary_test.go
  • internal/core/runtime/secure_session.go
  • pkg/lipsdk/usage/observe.go
  • pkg/lipsdk/transport/httpauth/result.go
  • internal/core/auth/local_apikey_scope_test.go
  • internal/core/auth/errors.go
  • internal/core/auxreq/client.go
  • pkg/lipsdk/scope/context_test.go
  • internal/core/runtime/executor_open_attempt.go
  • pkg/lipsdk/traffic/observe.go
  • internal/core/execctx/views.go
  • internal/core/auth/local_noop_scope_test.go
  • internal/core/runtime/executor_secure_session_test.go
  • pkg/lipsdk/auth/decision.go
  • internal/core/runtime/scope_resolver_test.go
  • internal/core/runtime/scope_resolver.go
  • pkg/lipsdk/scope/value_test.go
  • internal/core/auth/scope_phase6_attribution_only_test.go
  • internal/core/config/access_auth_local_attribution_test.go
  • internal/stdhttp/auth/middleware.go
  • pkg/lipsdk/usage/observe_scope_test.go
  • internal/core/auth/scope.go
  • pkg/lipsdk/traffic/observe_scope_test.go
  • pkg/lipsdk/auth/events_scope_test.go
  • internal/core/runtime/scope_phase6_compatibility_test.go
  • pkg/lipsdk/scope/view_test.go
  • internal/core/auth/local_noop.go
  • internal/core/auth/local_apikey.go
  • internal/core/runtime/executor_scope_test.go
  • internal/core/config/access_auth_validate.go
  • internal/core/config/access_auth_model.go
  • internal/core/runtime/executor_prepare_secure.go
  • internal/core/auth/local_apikey_record.go
  • internal/core/runtime/scope_phase6_secret_safety_test.go
  • internal/core/runtime/attempt_stream_scope_test.go
  • internal/stdhttp/auth/adapter.go
  • internal/stdhttp/auth/middleware_test.go
  • internal/core/runtime/attempt_stream.go
  • internal/core/auth/scope_test.go
  • internal/stdhttp/auth/scope_bridge_test.go
  • pkg/lipsdk/scope/view.go

⚙️ CodeRabbit configuration file

**/*.go: Review as production Go code. Prioritize correctness, race conditions, goroutine leaks, context cancellation, timeout handling, error wrapping, nil-pointer risks, resource cleanup, defer placement, API compatibility, interface design, dependency boundaries, and testability. Avoid generic style comments when gofmt/golangci-lint already covers the issue.

Files:

  • pkg/lipsdk/auth/decision_scope_test.go
  • pkg/lipsdk/transport/httpauth/context_scope_test.go
  • internal/core/auxreq/scope_test.go
  • pkg/lipsdk/transport/httpauth/result_scope_test.go
  • pkg/lipsdk/scope/doc.go
  • internal/core/execctx/views_scope_test.go
  • pkg/lipsdk/auth/events.go
  • pkg/lipsdk/transport/httpauth/context.go
  • pkg/lipsdk/scope/value.go
  • internal/stdhttp/auth/adapter_test.go
  • pkg/lipsdk/execview/views.go
  • pkg/lipsdk/traffic/emit.go
  • pkg/lipsdk/scope/context.go
  • internal/archtest/scope_boundary_test.go
  • internal/core/runtime/secure_session.go
  • pkg/lipsdk/usage/observe.go
  • pkg/lipsdk/transport/httpauth/result.go
  • internal/core/auth/local_apikey_scope_test.go
  • internal/core/auth/errors.go
  • internal/core/auxreq/client.go
  • pkg/lipsdk/scope/context_test.go
  • internal/core/runtime/executor_open_attempt.go
  • pkg/lipsdk/traffic/observe.go
  • internal/core/execctx/views.go
  • internal/core/auth/local_noop_scope_test.go
  • internal/core/runtime/executor_secure_session_test.go
  • pkg/lipsdk/auth/decision.go
  • internal/core/runtime/scope_resolver_test.go
  • internal/core/runtime/scope_resolver.go
  • pkg/lipsdk/scope/value_test.go
  • internal/core/auth/scope_phase6_attribution_only_test.go
  • internal/core/config/access_auth_local_attribution_test.go
  • internal/stdhttp/auth/middleware.go
  • pkg/lipsdk/usage/observe_scope_test.go
  • internal/core/auth/scope.go
  • pkg/lipsdk/traffic/observe_scope_test.go
  • pkg/lipsdk/auth/events_scope_test.go
  • internal/core/runtime/scope_phase6_compatibility_test.go
  • pkg/lipsdk/scope/view_test.go
  • internal/core/auth/local_noop.go
  • internal/core/auth/local_apikey.go
  • internal/core/runtime/executor_scope_test.go
  • internal/core/config/access_auth_validate.go
  • internal/core/config/access_auth_model.go
  • internal/core/runtime/executor_prepare_secure.go
  • internal/core/auth/local_apikey_record.go
  • internal/core/runtime/scope_phase6_secret_safety_test.go
  • internal/core/runtime/attempt_stream_scope_test.go
  • internal/stdhttp/auth/adapter.go
  • internal/stdhttp/auth/middleware_test.go
  • internal/core/runtime/attempt_stream.go
  • internal/core/auth/scope_test.go
  • internal/stdhttp/auth/scope_bridge_test.go
  • pkg/lipsdk/scope/view.go
**/*

📄 CodeRabbit inference engine (Custom checks)

Do not introduce hardcoded credentials, API keys, tokens, private keys, passwords, production secrets, or sensitive internal URLs.

Files:

  • pkg/lipsdk/auth/decision_scope_test.go
  • pkg/lipsdk/transport/httpauth/context_scope_test.go
  • internal/core/auxreq/scope_test.go
  • pkg/lipsdk/transport/httpauth/result_scope_test.go
  • pkg/lipsdk/scope/doc.go
  • internal/core/execctx/views_scope_test.go
  • pkg/lipsdk/auth/events.go
  • pkg/lipsdk/transport/httpauth/context.go
  • pkg/lipsdk/scope/value.go
  • internal/stdhttp/auth/adapter_test.go
  • pkg/lipsdk/execview/views.go
  • pkg/lipsdk/traffic/emit.go
  • pkg/lipsdk/scope/context.go
  • internal/archtest/scope_boundary_test.go
  • internal/core/runtime/secure_session.go
  • pkg/lipsdk/usage/observe.go
  • pkg/lipsdk/transport/httpauth/result.go
  • internal/core/auth/local_apikey_scope_test.go
  • internal/core/auth/errors.go
  • internal/core/auxreq/client.go
  • pkg/lipsdk/scope/context_test.go
  • internal/core/runtime/executor_open_attempt.go
  • pkg/lipsdk/traffic/observe.go
  • internal/core/execctx/views.go
  • internal/core/auth/local_noop_scope_test.go
  • internal/core/runtime/executor_secure_session_test.go
  • pkg/lipsdk/auth/decision.go
  • docs/dogfood-local.md
  • internal/core/runtime/scope_resolver_test.go
  • internal/core/runtime/scope_resolver.go
  • pkg/lipsdk/scope/value_test.go
  • internal/core/auth/scope_phase6_attribution_only_test.go
  • internal/core/config/access_auth_local_attribution_test.go
  • internal/stdhttp/auth/middleware.go
  • pkg/lipsdk/usage/observe_scope_test.go
  • internal/core/auth/scope.go
  • pkg/lipsdk/traffic/observe_scope_test.go
  • pkg/lipsdk/auth/events_scope_test.go
  • internal/core/runtime/scope_phase6_compatibility_test.go
  • pkg/lipsdk/scope/view_test.go
  • internal/core/auth/local_noop.go
  • internal/core/auth/local_apikey.go
  • internal/core/runtime/executor_scope_test.go
  • internal/core/config/access_auth_validate.go
  • internal/core/config/access_auth_model.go
  • internal/core/runtime/executor_prepare_secure.go
  • internal/core/auth/local_apikey_record.go
  • internal/core/runtime/scope_phase6_secret_safety_test.go
  • internal/core/runtime/attempt_stream_scope_test.go
  • internal/stdhttp/auth/adapter.go
  • internal/stdhttp/auth/middleware_test.go
  • internal/core/runtime/attempt_stream.go
  • internal/core/auth/scope_test.go
  • internal/stdhttp/auth/scope_bridge_test.go
  • pkg/lipsdk/scope/view.go
pkg/**

⚙️ CodeRabbit configuration file

pkg/**: Treat exported identifiers as public API. Flag breaking changes, ambiguous contracts, missing error semantics, poor interface boundaries, and changes that make downstream usage harder.

Files:

  • pkg/lipsdk/auth/decision_scope_test.go
  • pkg/lipsdk/transport/httpauth/context_scope_test.go
  • pkg/lipsdk/transport/httpauth/result_scope_test.go
  • pkg/lipsdk/scope/doc.go
  • pkg/lipsdk/auth/events.go
  • pkg/lipsdk/transport/httpauth/context.go
  • pkg/lipsdk/scope/value.go
  • pkg/lipsdk/execview/views.go
  • pkg/lipsdk/traffic/emit.go
  • pkg/lipsdk/scope/context.go
  • pkg/lipsdk/usage/observe.go
  • pkg/lipsdk/transport/httpauth/result.go
  • pkg/lipsdk/scope/context_test.go
  • pkg/lipsdk/traffic/observe.go
  • pkg/lipsdk/auth/decision.go
  • pkg/lipsdk/scope/value_test.go
  • pkg/lipsdk/usage/observe_scope_test.go
  • pkg/lipsdk/traffic/observe_scope_test.go
  • pkg/lipsdk/auth/events_scope_test.go
  • pkg/lipsdk/scope/view_test.go
  • pkg/lipsdk/scope/view.go
**/*_test.go

⚙️ CodeRabbit configuration file

**/*_test.go: Review tests for meaningful assertions, table-driven coverage, race-prone tests, t.Parallel misuse, nondeterminism, leaked goroutines, real network or filesystem dependencies, fragile sleeps, and missing edge cases. Prefer testing observable behavior over implementation details.

Files:

  • pkg/lipsdk/auth/decision_scope_test.go
  • pkg/lipsdk/transport/httpauth/context_scope_test.go
  • internal/core/auxreq/scope_test.go
  • pkg/lipsdk/transport/httpauth/result_scope_test.go
  • internal/core/execctx/views_scope_test.go
  • internal/stdhttp/auth/adapter_test.go
  • internal/archtest/scope_boundary_test.go
  • internal/core/auth/local_apikey_scope_test.go
  • pkg/lipsdk/scope/context_test.go
  • internal/core/auth/local_noop_scope_test.go
  • internal/core/runtime/executor_secure_session_test.go
  • internal/core/runtime/scope_resolver_test.go
  • pkg/lipsdk/scope/value_test.go
  • internal/core/auth/scope_phase6_attribution_only_test.go
  • internal/core/config/access_auth_local_attribution_test.go
  • pkg/lipsdk/usage/observe_scope_test.go
  • pkg/lipsdk/traffic/observe_scope_test.go
  • pkg/lipsdk/auth/events_scope_test.go
  • internal/core/runtime/scope_phase6_compatibility_test.go
  • pkg/lipsdk/scope/view_test.go
  • internal/core/runtime/executor_scope_test.go
  • internal/core/runtime/scope_phase6_secret_safety_test.go
  • internal/core/runtime/attempt_stream_scope_test.go
  • internal/stdhttp/auth/middleware_test.go
  • internal/core/auth/scope_test.go
  • internal/stdhttp/auth/scope_bridge_test.go
internal/core/**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

In internal/core/, keep runtime orchestration, routing, continuity, streams, hooks/extensions, config, and diagnostics.

Files:

  • internal/core/auxreq/scope_test.go
  • internal/core/execctx/views_scope_test.go
  • internal/core/runtime/secure_session.go
  • internal/core/auth/local_apikey_scope_test.go
  • internal/core/auth/errors.go
  • internal/core/auxreq/client.go
  • internal/core/runtime/executor_open_attempt.go
  • internal/core/execctx/views.go
  • internal/core/auth/local_noop_scope_test.go
  • internal/core/runtime/executor_secure_session_test.go
  • internal/core/runtime/scope_resolver_test.go
  • internal/core/runtime/scope_resolver.go
  • internal/core/auth/scope_phase6_attribution_only_test.go
  • internal/core/config/access_auth_local_attribution_test.go
  • internal/core/auth/scope.go
  • internal/core/runtime/scope_phase6_compatibility_test.go
  • internal/core/auth/local_noop.go
  • internal/core/auth/local_apikey.go
  • internal/core/runtime/executor_scope_test.go
  • internal/core/config/access_auth_validate.go
  • internal/core/config/access_auth_model.go
  • internal/core/runtime/executor_prepare_secure.go
  • internal/core/auth/local_apikey_record.go
  • internal/core/runtime/scope_phase6_secret_safety_test.go
  • internal/core/runtime/attempt_stream_scope_test.go
  • internal/core/runtime/attempt_stream.go
  • internal/core/auth/scope_test.go
internal/**

⚙️ CodeRabbit configuration file

internal/**: Focus on package boundaries, hidden coupling, unexported API design, concurrency safety, deterministic behavior, and whether logic belongs in this internal package.

Files:

  • internal/core/auxreq/scope_test.go
  • internal/core/execctx/views_scope_test.go
  • internal/stdhttp/auth/adapter_test.go
  • internal/archtest/scope_boundary_test.go
  • internal/core/runtime/secure_session.go
  • internal/core/auth/local_apikey_scope_test.go
  • internal/core/auth/errors.go
  • internal/core/auxreq/client.go
  • internal/core/runtime/executor_open_attempt.go
  • internal/core/execctx/views.go
  • internal/core/auth/local_noop_scope_test.go
  • internal/core/runtime/executor_secure_session_test.go
  • internal/core/runtime/scope_resolver_test.go
  • internal/core/runtime/scope_resolver.go
  • internal/core/auth/scope_phase6_attribution_only_test.go
  • internal/core/config/access_auth_local_attribution_test.go
  • internal/stdhttp/auth/middleware.go
  • internal/core/auth/scope.go
  • internal/core/runtime/scope_phase6_compatibility_test.go
  • internal/core/auth/local_noop.go
  • internal/core/auth/local_apikey.go
  • internal/core/runtime/executor_scope_test.go
  • internal/core/config/access_auth_validate.go
  • internal/core/config/access_auth_model.go
  • internal/core/runtime/executor_prepare_secure.go
  • internal/core/auth/local_apikey_record.go
  • internal/core/runtime/scope_phase6_secret_safety_test.go
  • internal/core/runtime/attempt_stream_scope_test.go
  • internal/stdhttp/auth/adapter.go
  • internal/stdhttp/auth/middleware_test.go
  • internal/core/runtime/attempt_stream.go
  • internal/core/auth/scope_test.go
  • internal/stdhttp/auth/scope_bridge_test.go
internal/stdhttp/**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

In internal/stdhttp/, compose the standard distribution.

Files:

  • internal/stdhttp/auth/adapter_test.go
  • internal/stdhttp/auth/middleware.go
  • internal/stdhttp/auth/adapter.go
  • internal/stdhttp/auth/middleware_test.go
  • internal/stdhttp/auth/scope_bridge_test.go
internal/archtest/**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

In internal/archtest/, keep architecture and hygiene gates.

Files:

  • internal/archtest/scope_boundary_test.go
🪛 ast-grep (0.44.0)
internal/core/auth/local_apikey_scope_test.go

[warning] 15-15: A credential is hard-coded as a string literal. Secrets stored in source code, such as passwords, API keys, and tokens, can be leaked through version control or binaries and used by internal or external malicious actors. Rotate the exposed secret and load it at runtime from a secure secret vault, a Hardware Security Module (HSM), or an environment variable if permitted by your company policy (e.g. password := os.Getenv("APP_PASSWORD")).
Context: secret := "my-api-key-value-16"
Note: [CWE-798] Use of Hard-coded Credentials.

(hardcoded-credentials-string-literal-go)


[warning] 82-82: A credential is hard-coded as a string literal. Secrets stored in source code, such as passwords, API keys, and tokens, can be leaked through version control or binaries and used by internal or external malicious actors. Rotate the exposed secret and load it at runtime from a secure secret vault, a Hardware Security Module (HSM), or an environment variable if permitted by your company policy (e.g. password := os.Getenv("APP_PASSWORD")).
Context: secret := "my-api-key-value-16"
Note: [CWE-798] Use of Hard-coded Credentials.

(hardcoded-credentials-string-literal-go)

🪛 LanguageTool
.kiro/specs/control-plane-principal-scope/tasks.md

[style] ~179-~179: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...values reach safe scope or evidence.

  • Task 6.3 (boundary / attribution-only fo...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)


[style] ~180-~180: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...dmin-GUI code on the affected paths.

  • Task 7.1 (focused verification command s...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

🔇 Additional comments (62)
pkg/lipsdk/scope/value.go (1)

1-35: LGTM!

pkg/lipsdk/scope/value_test.go (1)

1-88: LGTM!

pkg/lipsdk/scope/view.go (2)

33-61: LGTM! Clone correctly preserves nil-vs-empty semantics for slices/maps via slices.Clone/maps.Clone, matching the isolation tests in view_test.go.


63-75: LGTM! Projection correctly copies Roles/SafeClaims so the legacy execview.PrincipalView can't alias the authoritative scope, verified by TestPrincipalScopeView_PrincipalProjectionIsCopy.

pkg/lipsdk/scope/view_test.go (1)

1-228: LGTM! Good coverage, including the forbidden-field-name reflection guard and nil-preservation checks.

pkg/lipsdk/scope/doc.go (1)

1-14: LGTM!

pkg/lipsdk/scope/context.go (1)

9-32: LGTM!

pkg/lipsdk/scope/context_test.go (1)

1-72: LGTM!

pkg/lipsdk/transport/httpauth/context.go (1)

7-7: LGTM!

Also applies to: 20-30

pkg/lipsdk/transport/httpauth/context_scope_test.go (1)

1-35: LGTM!

internal/stdhttp/auth/adapter.go (4)

141-186: bridgeScope logic reviewed — matches precedence rules and tests.

Allow path defers to coreauth.BuildScope, treats ErrNoIdentity as legacy pass-through, and rejects any other error before execution; deny/challenge path clones+sanitizes any supplied scope and drops it silently on sanitize failure. This lines up with scope_bridge_test.go coverage (allow/legacy/deny/challenge/unsafe cases). No further issues beyond the d.Scope clearing note above.


318-374: Scope-to-legacy-principal projection in authDecisionEvent looks correct.

src correctly prefers evidenceScope.Principal() over d.Principal, claims are key-only (values cleared) to avoid leaking claim values onto the audit path, and ev.Scope is only populated (and cloned) when evidenceScope is non-nil. Matches TestPolicyProvider_allow_evidenceCarriesSafeScopeAndCompatFields and the unsafe-scope omission tests.


6-6: LGTM!

Also applies to: 16-16


135-144: LGTM!

internal/stdhttp/auth/adapter_test.go (1)

358-375: LGTM!

internal/stdhttp/auth/middleware.go (2)

99-104: LGTM!


196-224: 📐 Maintainability & Code Quality

No lingering EnsureContextPrincipal references remain.

internal/stdhttp/auth/middleware_test.go (1)

15-15: LGTM!

Also applies to: 336-397

internal/stdhttp/auth/scope_bridge_test.go (1)

1-391: LGTM!

internal/archtest/scope_boundary_test.go (2)

11-44: LGTM!

Substring matching against generic terms like "oauth"/"saml" is coarse but appropriately conservative for an architecture guardrail. As per coding guidelines, internal/archtest/**/*.go should keep architecture and hygiene gates, which this satisfies.

Source: Coding guidelines


46-89: LGTM!

docs/dogfood-local.md (2)

90-121: LGTM!


136-136: 📐 Maintainability & Code Quality

Archived spec path is present.

.kiro/specs/control-plane-principal-scope/tasks.md (1)

173-181: LGTM!

internal/core/auth/local_apikey.go (1)

9-15: LGTM!

Also applies to: 29-29, 47-47, 81-129

internal/core/auth/local_apikey_record.go (1)

13-40: LGTM!

Also applies to: 74-127

internal/core/auth/local_apikey_scope_test.go (1)

1-131: LGTM!

internal/core/auth/local_noop.go (1)

9-9: LGTM!

Also applies to: 46-66

internal/core/auth/local_noop_scope_test.go (1)

1-67: LGTM!

internal/core/config/access_auth_model.go (1)

16-35: LGTM!

internal/core/config/access_auth_validate.go (1)

80-91: LGTM!

internal/core/config/access_auth_local_attribution_test.go (1)

33-145: LGTM!

internal/core/execctx/views.go (1)

44-57: LGTM!

Also applies to: 59-80

internal/core/execctx/views_scope_test.go (1)

1-109: LGTM!

internal/core/runtime/scope_resolver.go (2)

45-57: LGTM!


28-43: 🎯 Functional Correctness

Request scope is written back into context before traffic capture reads it.

internal/core/runtime/scope_resolver_test.go (1)

1-138: LGTM!

internal/core/runtime/secure_session.go (1)

29-35: LGTM!

internal/core/runtime/executor_secure_session_test.go (1)

81-100: LGTM!

internal/core/runtime/executor_open_attempt.go (1)

369-378: LGTM!

internal/core/runtime/executor_prepare_secure.go (1)

27-27: LGTM!

Also applies to: 66-72, 157-157, 241-241, 360-360

internal/core/runtime/attempt_stream.go (1)

303-303: LGTM!

Moving recvExecContext(ctx) before the recover-drain branch correctly ensures synthesized usage events during stream recovery carry the scoped context (matches TestRuntime_usageEvidence_recoveryDrainCarriesScope), and sourcing PrincipalID/Scope from scopeFromCtx(ctx) keeps traffic/usage emission consistent with the authoritative scope resolved upstream.

Also applies to: 561-569, 769-771, 786-786

internal/core/runtime/attempt_stream_scope_test.go (1)

1-338: LGTM!

Solid coverage of scope propagation into usage/traffic evidence, secret-free leg checks, synthetic local fallback, and recovery-drain scope carryover.

internal/core/runtime/executor_scope_test.go (1)

1-244: LGTM!

Good coverage of trusted-scope precedence over legacy principal, legacy-principal-derived scope fallback, and multi-attempt scope sharing without disturbing recovery semantics.

internal/core/runtime/scope_phase6_compatibility_test.go (1)

1-228: LGTM!

Good verification that streaming/non-streaming paths carry identical scope, optional attribution doesn't affect routing/attempt counts, and canonical CTP payload shape/fields remain unaffected by scope attachment.

internal/core/runtime/scope_phase6_secret_safety_test.go (1)

1-178: LGTM!

Good coverage of secret-free session-start evidence derivation and isolation of scope copies between usage/traffic observer events.

internal/core/auxreq/client.go (1)

13-13: LGTM!

Correctly preserves parent scope while marking derived origin as internal and updating ParentTraceID; matches TestClient_Stream_preservesParentScopeAndMarksInternalOrigin and the no-scope fallback test.

Also applies to: 53-63

internal/core/auxreq/scope_test.go (1)

1-85: LGTM!

pkg/lipsdk/auth/decision.go (1)

3-6: LGTM!

Also applies to: 35-38

pkg/lipsdk/auth/decision_scope_test.go (1)

1-49: LGTM!

pkg/lipsdk/auth/events_scope_test.go (1)

1-67: LGTM!

pkg/lipsdk/execview/views.go (1)

4-6: LGTM!

internal/core/auth/errors.go (1)

10-20: LGTM!

internal/core/auth/scope_test.go (1)

1-253: LGTM!

internal/core/auth/scope_phase6_attribution_only_test.go (1)

1-78: LGTM!

pkg/lipsdk/auth/events.go (1)

3-7: LGTM!

Also applies to: 60-63

pkg/lipsdk/transport/httpauth/result.go (1)

7-7: LGTM!

Also applies to: 33-37

pkg/lipsdk/transport/httpauth/result_scope_test.go (1)

1-45: LGTM!

pkg/lipsdk/traffic/emit.go (1)

8-8: LGTM!

Also applies to: 72-72

pkg/lipsdk/traffic/observe.go (1)

30-46: LGTM!

Also applies to: 26-29

pkg/lipsdk/traffic/observe_scope_test.go (1)

1-135: LGTM!

pkg/lipsdk/usage/observe_scope_test.go (1)

1-61: LGTM!

Comment thread internal/core/auth/scope.go
Comment thread internal/core/auth/scope.go
Comment thread internal/core/config/access_auth_local_attribution_test.go
Comment thread internal/core/config/access_auth_validate.go
Comment thread internal/stdhttp/auth/adapter.go
Comment thread pkg/lipsdk/scope/context.go Outdated
- BuildScope: reject trusted scopes with no principal id (ErrNoIdentity), mirroring the legacy path
- adapter: forced unsafe-scope deny always reports unsafe_scope, superseding stale allow-era reason codes
- config: toCore deep-copies Roles/SafeClaims/PolicyLabels so core auth records don't alias config state
- SanitizeScope doc: note the credential heuristic is best-effort/non-exhaustive
- context key: document the iota offset convention
- tests: cover the new branches; fix attributionConverted test to call config.ValidateAuthLocalAPIKeyRecords

Co-authored-by: Cursor <cursoragent@cursor.com>
@matdev83 matdev83 merged commit 1aeefbe into main Jul 2, 2026
2 checks passed
@matdev83 matdev83 deleted the feat/control-plane-principal-scope branch July 2, 2026 08:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant