Skip to content

feat(control): scope usage/logs/catalogview reads to caller-owned rows#361

Merged
aaliboyev merged 1 commit into
mainfrom
feat/scoped-observability-reads
Jul 2, 2026
Merged

feat(control): scope usage/logs/catalogview reads to caller-owned rows#361
aaliboyev merged 1 commit into
mainfrom
feat/scoped-observability-reads

Conversation

@aaliboyev

Copy link
Copy Markdown
Member

Follow-up to #360, completing read-side scoping for the opt-in owner-scoped authorizer.

  • Usage and log events carry the sha256 hash of the inbound bearer, so scoped reads narrow to events attributed to relay-keys the caller owns: caller filters are forced/intersected against the owned hash set, an empty owned set short-circuits to an empty result (never an unfiltered query), and /logs/{request_id} returns 404 for foreign or unattributed records (gating the payload-body join too).
  • catalogview.Service gains an optional Visible predicate, wired per-request from the Authorizer: policy-rooted projections resolve invisible policies as not-found; /hosts/{ref}/keys and /models/{ref}/policies drop rows the caller may not see.
  • usage/logs join the authorizer's scoped-read kinds now that their handlers enforce row scoping (previously admin-only under the scoped authorizer).

No behavior change with the default authorizer — covered by regression tests (unfiltered queries, Visible=nil path).

Tested: unit coverage for the scope helpers and catalogview visibility, httptest coverage for the handlers (scoped-out short-circuit never touches the store; admin/single-user read unfiltered), full suite + lint-rules.

Usage and log events carry the sha256 hash of the inbound bearer, so a
scoping Authorizer narrows every usage/logs read to events attributed
to relay-keys the caller owns: filters are forced (or intersected) to
the owned hash set, an empty owned set short-circuits to an empty
result, and /logs/{request_id} returns 404 for foreign or unattributed
records. Admins and the single-user default authorizer read the whole
stream unchanged.

catalogview.Service gains an optional Visible predicate, wired from
the request's Authorizer: policy-rooted projections resolve invisible
policies as not-found, and /hosts/{ref}/keys and /models/{ref}/policies
drop rows the caller may not see.

usage/logs move into the authorizer's scoped-read set now that their
handlers enforce row scoping (previously admin-only under the scoped
authorizer). No behavior change for the single-user default.
@aaliboyev aaliboyev merged commit 98ea13d into main Jul 2, 2026
2 checks passed
@aaliboyev aaliboyev deleted the feat/scoped-observability-reads branch July 2, 2026 03:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant