feat(m7.1): wire compliance-agent to compliance-core auth + status gate #85

Merged

sharang merged 1 commits from feat/m7.1-agent-wire into main

2026-06-17 09:36:52 +00:00

Author	SHA1	Message	Date
Sharang Parnerkar	324b137862	feat(m7.1): wire compliance-agent to compliance-core auth + status gate CI / Check (pull_request) Successful in 8m14s Details CI / Detect Changes (pull_request) Has been skipped Details CI / Deploy Agent (pull_request) Has been skipped Details CI / Deploy Dashboard (pull_request) Has been skipped Details CI / Deploy Docs (pull_request) Has been skipped Details CI / Deploy MCP (pull_request) Has been skipped Details Supersedes #82. Deletes the inline JWT middleware in compliance-agent (now stale — missing JWKS refresh from #84 and tenant extraction from #83) and imports require_jwt_auth, require_tenant_status, JwksState from compliance_core::auth. Wires the status gate into the server's layer stack: Extension(jwks_state) → require_jwt_auth → require_tenant_status → handler. Adds the integration test from #82, retargeted to compliance_core::auth::require_tenant_status. Test plan - cargo fmt --all clean - cargo clippy --workspace --exclude compliance-dashboard -- -D warnings clean (matches baseline) - cargo test -p compliance-core --lib — 7 tests pass - cargo test -p compliance-agent --lib — 228 tests pass - cargo test -p compliance-agent --test tenant_status_middleware — 6 tests pass - scripts/smoke.sh against live certifai KC — 15/15 cells pass (anon, bogus, active×2, trial, frozen, archived × {GET/health, GET/echo, POST/echo}) Caveats - M7.1 only — status gate + claim extraction. Per-collection tenant_id scoping (M7.2) still pending; agent will still serve any Active/Trial tenant's data to any caller until the ~38 query call-sites use compliance_core::db::tenant_filter. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-17 11:07:56 +02:00

Author

SHA1

Message

Date

Sharang Parnerkar

324b137862

feat(m7.1): wire compliance-agent to compliance-core auth + status gate

CI / Check (pull_request) Successful in 8m14s

Details

CI / Detect Changes (pull_request) Has been skipped

Details

CI / Deploy Agent (pull_request) Has been skipped

Details

CI / Deploy Dashboard (pull_request) Has been skipped

Details

CI / Deploy Docs (pull_request) Has been skipped

Details

CI / Deploy MCP (pull_request) Has been skipped

Details

Supersedes #82.

Deletes the inline JWT middleware in compliance-agent (now stale —
missing JWKS refresh from #84 and tenant extraction from #83) and
imports require_jwt_auth, require_tenant_status, JwksState from
compliance_core::auth. Wires the status gate into the server's layer
stack: Extension(jwks_state) → require_jwt_auth → require_tenant_status
→ handler.

Adds the integration test from #82, retargeted to
compliance_core::auth::require_tenant_status.

Test plan
- cargo fmt --all clean
- cargo clippy --workspace --exclude compliance-dashboard -- -D warnings
  clean (matches baseline)
- cargo test -p compliance-core --lib — 7 tests pass
- cargo test -p compliance-agent --lib — 228 tests pass
- cargo test -p compliance-agent --test tenant_status_middleware —
  6 tests pass
- scripts/smoke.sh against live certifai KC — 15/15 cells pass
  (anon, bogus, active×2, trial, frozen, archived × {GET/health,
  GET/echo, POST/echo})

Caveats
- M7.1 only — status gate + claim extraction. Per-collection
  tenant_id scoping (M7.2) still pending; agent will still serve any
  Active/Trial tenant's data to any caller until the ~38 query
  call-sites use compliance_core::db::tenant_filter.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-06-17 11:07:56 +02:00

feat(m7.1): wire compliance-agent to compliance-core auth + status gate #85

1 Commits