feat: add mintcore shared library and dev mint for local evaluation#1751
feat: add mintcore shared library and dev mint for local evaluation#1751ggallen wants to merge 1 commit into
Conversation
Site previewPreview: https://1ee6ea7b-site.fullsend-ai.workers.dev Commit: |
ReviewPrior findings resolved✅ [data-exposure] ✅ [silent-error] FindingsMedium
Low
Info
Previous runReviewFindingsMedium
Low
Info
Previous runReviewFindingsMedium
Low
Info
Previous run (2)ReviewPrior findings resolved✅ [logic-error] ✅ [auth-bypass] ✅ [missing-validation] ✅ [stale-doc] ✅ [stale-doc] ✅ [incomplete-doc] FindingsMedium
Low
Previous run (3)ReviewFindingsHigh
Medium
Low
Previous run (4)ReviewFindingsMedium
Info
Previous run (5)ReviewFindingsMedium
Low
Info
Previous run (6)ReviewFindingsHigh
Medium
Low
Previous run (7)ReviewFindingsMedium
Info
Previous run (8)ReviewFindingsMedium
Low
Info
|
ifireball
left a comment
There was a problem hiding this comment.
The PR is a missed opportunity. It goes part of the way towards implementing a GCP-independent mint that could e.g. run in a container on k8s but stops short because of "dev" focus and then adds some "dev" APIs that seem redundant.
The following approach would be welcome instead, and would actually also be a step towards the public mint deployment:
- Implement GCP-idependent OIDC token verification via the keys in token.actions.githubusercontent.com
- Drop the POST /v2/pem API (it doesn't seem beneficial to have writable mints)
- Add the other APIs to the GCP mint implementation
- Try to share as much code as possible between the mint implementations, place pieces that must be different behind interfactes that can abstract away multiple implementations.
|
@ifireball, let me see what I can do. |
6d4f2cf to
1bc975d
Compare
|
@ifireball, is this more to your liking? Have at it! |
yes, thanks! a few small nits:
Also about the code structure - I was expecting to see:
Not quite seeing that structure in the code ATM. Having said all that, the size of this change scares me a bit, how do we know we did not break the original mint? |
|
Either that, or everything will become silently insecure because we've dropped some token validations without noticing... |
Introduce a standalone token mint (fullsend mint run) that replaces the full GCP infrastructure for local development and evaluation. The mint stores GitHub App PEMs on disk, verifies OIDC tokens via JWKS, and mints real installation tokens. Refactor both mints to share code via internal/mintcore/: - OIDCVerifier interface with JWKSVerifier (standalone) and STSVerifier (GCP) - PEMAccessor interface for PEM storage abstraction - Shared claims validation, GitHub API helpers, and role permissions - BuildRepoProviderID for WIF provider resolution GCP mint keeps STS-based OIDC verification as default. The /v1/status endpoint now requires authentication in the GCP mint. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
@ifireball Thanks for the thorough review — all five points addressed:
Also fixed the review bot finding about unauthenticated All tests pass ( |
…dpoint Resolves fullsend-ai#1751 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Greg Allen <gallen@redhat.com>
Extract shared OIDC verification, STS token exchange, claims validation, and GitHub API helpers from internal/mint into a new internal/mintcore Go module. Introduces OIDCVerifier interface with STSVerifier (GCP WIF) and JWKSVerifier (direct JWKS) implementations, authenticated /v1/status endpoint, and immutable RolePermissions accessor. Intentional behavioral change: /v1/token OIDC auth failures now return HTTP 401 (was 403) for correct HTTP semantics and consistency with /v1/status. Authorization failures (role not allowed) remain 403. Resolves the first half of fullsend-ai#1751. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Greg Allen <gallen@redhat.com>
|
@ggallen I'm a little confused, is this PR still relevant? I thought we already merged the mintcore refactor |
|
Superseded by #1783. |
|
🤖 Retro · Started 5:38 PM UTC |
Retro: PR #1751 — mintcore shared library and dev mintWorkflow: Human-authored PR by What went well:
What could improve:
1 proposal filed (large PR detection). Several potential proposals were skipped because existing issues already cover them:
Proposals filed
|
|
🤖 Finished Retro · ✅ Success · Started 5:38 PM UTC · Completed 5:47 PM UTC |
Summary
Introduces a shared mint core library (
internal/mintcore/) and a local development mint (internal/devmint/), enabling fullsend to run without GCP infrastructure for token minting. This is a refactoring of the mint architecture to support multiple implementations behind shared interfaces.mintcore shared library (
internal/mintcore/)New Go module extracted from both the GCP Cloud Function mint and the dev mint:
token.actions.githubusercontent.com, replacing GCP STS/WIF token exchangeGenerateAppJWT,FindInstallation,CreateInstallationTokenClaims,Audience(string-or-array),ValidateOrgAllowed,ValidateWorkflowRefGitHubOrgPattern,RepoNamePattern,RolePatternGCP mint refactoring (
internal/mint/)mintcore.OIDCVerifierfor OIDC verification instead of GCP STS/WIFmintcore.*for all shared types and functions/v1/statusdiagnostic endpoint (returns configured orgs and roles)stsTokenValidator,TokenValidatorinterface, local GitHub API functions, and WIF-related env varsDev mint (
internal/devmint/)Local HTTP server for development and evaluation:
--insecure-no-authflag for local development)POST /v1/pemendpoint — the mint is now read-only, PEMs are managed via filesystemCLI changes
fullsend mint devcommand with--insecure-no-authand--oidc-audienceflags--mint-data-dirflag for disk-based PEM storage during installstorePEMToDisk()replacespostPEMToMint()— PEMs written directly to disk instead of HTTP POSTCloud Function deployment
mintcore/source alongside the mint function.embedfiles for mintcore inmintsrc/mintcore/go.modreplace directive rewritten from../mintcoreto./mintcoreduring zip creationChanges from review feedback
These changes address review feedback:
POST /v1/pem— the mint is now read-only; PEMs are written to disk and hot-reloaded via fsnotify/v1/statusendpoint — diagnostic endpoint on the GCP mint returning configured orgs and rolesmintcore/— extracted common code into a shared Go module used by both mint implementationsTest plan
go test ./internal/mintcore/...— 28 tests (JWKS verifier, claims, GitHub API, patterns)go test ./internal/mint/...— 26 tests (GCP mint with JWKS verifier)go test ./internal/devmint/...— 22 tests (dev mint, hot reload, no /v1/pem)go test ./internal/dispatch/gcf/...— provisioner tests with mintcore bundlinggo test ./internal/cli/...— CLI tests with disk-based PEM storagefullsend mint dev→ tunnel →fullsend admin install→ triage agent runs successfully🤖 Generated with Claude Code