Skip to content

feat(auth): add scoped PAT authentication#112

Merged
codemountains merged 2 commits into
mainfrom
feature/scoped-pat-authentication
Jul 13, 2026
Merged

feat(auth): add scoped PAT authentication#112
codemountains merged 2 commits into
mainfrom
feature/scoped-pat-authentication

Conversation

@codemountains

Copy link
Copy Markdown
Owner

Summary

  • add a common bearer principal authenticator for CLI access tokens and scoped Personal Access Tokens
  • add GET /v1/account and scoped PAT create/list/revoke APIs with atomic idempotency handling
  • update CLI login, status, logout, and token workflows for PAT metadata, presets, scopes, and expiration choices
  • introduce the scoped-PAT schema migration and a post-deployment legacy-token cutover
  • keep legacy resource routes fail-closed behind full compatibility scopes until the operation-specific authorization work in [Auth P3] REST, SSE, and MCP scope and ownership authorization #105
  • synchronize authentication, backend, CLI, deployment, and agent documentation

Context

Closes #104.

This is the first implementation issue tracked by #110. It establishes the shared authentication and PAT foundation used by #105 through #109 without implementing their later operation-specific authorization behavior early.

Migration and rollout

Migration 0004_scoped_pat_cutover.sql prepares account, session, and scoped-PAT data before Worker deployment. The separate idempotent cutover runs only after the new Worker reaches 100% deployment and revokes legacy bootstrap tokens. As documented, the current pre-production rollout assumes no production deployment contains legacy credentials and intentionally provides no bootstrap recovery path after cutover.

Verification

  • just check — 60 test files / 415 tests passed
  • just test-e2e — 1 test file / 5 tests passed
  • just cloudflare-check — Worker dry-run, OpenTofu formatting/validation, and 3 infrastructure tests passed
  • focused API/CLI tests — 76 tests passed
  • API and CLI typechecks passed
  • git diff --check passed

Review

The repository code-reviewer subagent reviewed the final diff. Its initial findings around fail-closed compatibility scopes, distinct auth errors, cutover ordering, logout credential selection, access-token handling, and idempotency cleanup were addressed; the follow-up review reported no remaining correctness findings.

@codemountains
codemountains marked this pull request as ready for review July 12, 2026 14:54

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 193ede56a1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread apps/api/src/presentation/routes/mcp.ts Outdated
@codemountains

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2dab3b538d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread apps/api/src/application/auth.ts
@codemountains
codemountains merged commit aa4bc9e into main Jul 13, 2026
3 checks passed
@codemountains
codemountains deleted the feature/scoped-pat-authentication branch July 13, 2026 09:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Auth P2] Scoped PATs, current-account API, and common principal authentication

1 participant