feat(m7.3): scheduler pulls tenants from registry, env as fallback #96

Open

sharang wants to merge 1 commits from feat/m7.3-scheduler-tenant-registry-v2 into feat/m7.3-admin-endpoints

pull from: feat/m7.3-scheduler-tenant-registry-v2

merge into: sharang:feat/m7.3-admin-endpoints

sharang:main

sharang:feat/m7.3-admin-endpoints

sharang:feat/m7.3-mcp-tokens-ui

sharang:fix/remove-stale-api-webhook-routes

sharang:feat/m7.3-mcp-tenant-tokens

sharang:feat/dashboard-token-refresh

sharang:fix/dashboard-bearer-token

sharang:feat/m7.1-agent-wire

sharang:fix/m7.1-jwks-refresh

sharang:feat/m7.1-smoke-harness

sharang:feat/m7.1-tenant-claims

sharang:feat/light-mode-theme-toggle

sharang:fix/embedding-build-progress

sharang:fix/cve-scan-http-timeout

sharang:fix/scan-resource-limits-and-script-error

sharang:fix/multiple-issues

sharang:feat/cve-alerts

sharang:feat/e2e-tests

sharang:feat/help-chat-widget

sharang:fix/cascade-delete-repo

sharang:feat/refine-llm-prompts

sharang:fix/gitea-pr-review-error-handling

sharang:test/dummy-bad-code

sharang:fix/remove-code-review-from-findings

sharang:feat/pentest-onboarding

Conversation 0 Commits 1 Files Changed 1

+191 -11

sharang commented 2026-06-18 11:07:35 +00:00

Owner

Copy Link

Copy Source

Summary

Replaces the M7.2-C static SCHEDULER_TENANT_IDS env enumeration with a live query to the tenant-registry at every tick. New tenants get picked up without an agent restart; the env stays as a fallback so the scheduler is never silenced by a registry outage.

Stacked on #95 (admin endpoints) since that PR added tenant_registry_url to AgentConfig. Once #95 lands this auto-retargets to main.

Resolution order

1. agent.config.tenant_registry_url → GET <url>/v1/tenants
   • 5s timeout (kept short — we'd rather fall back than block the tick)
   • Frozen and Archived tenants filtered out (the M7.1 status gate would 402/410 them anyway)
   • Accepts either {"id":"..."} or {"tenant_id":"..."} for forward compatibility with whatever shape the registry settles on
2. SCHEDULER_TENANT_IDS env (comma-separated) — fallback when the registry URL is unset OR the fetch fails OR the parsed response is empty. Each failure mode logs a warn with the url so operators see the problem.
3. DEFAULT_SCHEDULER_TENANT_ID ("dev") — last-ditch fallback so a bare cargo run against a clean Mongo still scans the dev tenant.

Why fresh on every tick

Tick frequency is every few hours (default scan_schedule = "0 0 */6 * * *"). The registry call happens at most 4 times a day per agent — cheap. Caching introduces a staleness window for newly provisioned tenants, and the whole point of registry integration is to pick them up fast.

Startup log

Includes tenant source=tenant-registry or env so operators can tell at a glance which mode the scheduler is in.

Test plan

• cargo fmt --all -- --check clean
• cargo clippy -p compliance-agent -- -D warnings clean
• cargo test -p compliance-agent --lib — 232 pass (+3 new):
  • filter_active_keeps_running_skips_frozen_archived
  • deserialize_registry_response_accepts_id_or_tenant_id
  • tenants_from_env_resolution (single test covering unset → default, csv → splits, "" → default — collapsed to one to avoid env-var test races)

Production

• Set TENANT_REGISTRY_URL in orca-infra alongside KEYCLOAK_URL when the registry is ready. Until then, the scheduler keeps using SCHEDULER_TENANT_IDS — no operator action needed.
• Future M7.4 cleanup: once tenant-registry adoption is universal, delete SCHEDULER_TENANT_IDS env support entirely.

🤖 Generated with Claude Code

## Summary Replaces the M7.2-C static `SCHEDULER_TENANT_IDS` env enumeration with a live query to the tenant-registry at every tick. New tenants get picked up without an agent restart; the env stays as a fallback so the scheduler is never silenced by a registry outage. **Stacked on #95 (admin endpoints)** since that PR added `tenant_registry_url` to `AgentConfig`. Once #95 lands this auto-retargets to main. ## Resolution order 1. **`agent.config.tenant_registry_url`** → `GET <url>/v1/tenants` - 5s timeout (kept short — we'd rather fall back than block the tick) - Frozen and Archived tenants filtered out (the M7.1 status gate would 402/410 them anyway) - Accepts either `{"id":"..."}` or `{"tenant_id":"..."}` for forward compatibility with whatever shape the registry settles on 2. **`SCHEDULER_TENANT_IDS`** env (comma-separated) — fallback when the registry URL is unset OR the fetch fails OR the parsed response is empty. Each failure mode logs a `warn` with the url so operators see the problem. 3. **`DEFAULT_SCHEDULER_TENANT_ID`** (`"dev"`) — last-ditch fallback so a bare `cargo run` against a clean Mongo still scans the dev tenant. ## Why fresh on every tick Tick frequency is every few hours (default `scan_schedule = "0 0 */6 * * *"`). The registry call happens at most 4 times a day per agent — cheap. Caching introduces a staleness window for newly provisioned tenants, and the whole point of registry integration is to pick them up fast. ## Startup log Includes `tenant source=tenant-registry` or `env` so operators can tell at a glance which mode the scheduler is in. ## Test plan - [x] `cargo fmt --all -- --check` clean - [x] `cargo clippy -p compliance-agent -- -D warnings` clean - [x] `cargo test -p compliance-agent --lib` — **232 pass** (+3 new): - `filter_active_keeps_running_skips_frozen_archived` - `deserialize_registry_response_accepts_id_or_tenant_id` - `tenants_from_env_resolution` (single test covering unset → default, csv → splits, `""` → default — collapsed to one to avoid env-var test races) ## Production - Set `TENANT_REGISTRY_URL` in orca-infra alongside `KEYCLOAK_URL` when the registry is ready. Until then, the scheduler keeps using `SCHEDULER_TENANT_IDS` — no operator action needed. - **Future M7.4 cleanup**: once tenant-registry adoption is universal, delete `SCHEDULER_TENANT_IDS` env support entirely. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

sharang added 1 commit 2026-06-18 11:07:39 +00:00

feat(m7.3): scheduler pulls tenants from registry, env as fallback ... 608611423b

Replaces the M7.2-C static `SCHEDULER_TENANT_IDS` env enumeration with
a live query to the tenant-registry at every tick. New tenants get
picked up without an agent restart; the env stays as the fallback
when the registry is unreachable so the scheduler is never silenced
by a registry outage.

Resolution order
1. agent.config.tenant_registry_url → GET <url>/v1/tenants
   - 5s timeout (kept short — we'd rather fall back than block the
     tick)
   - Frozen and Archived tenants filtered out (the M7.1 status gate
     would 402/410 them anyway, no point scanning their repos)
   - Accepts either {"id"} or {"tenant_id"} for forward compatibility
     with whatever shape the registry settles on
2. SCHEDULER_TENANT_IDS env (comma-separated) — fallback when the
   registry URL is unset OR the fetch fails OR the parsed response is
   empty. Each failure mode logs a warn with the url so operators see
   the problem.
3. DEFAULT_SCHEDULER_TENANT_ID ("dev") — last-ditch fallback so a
   bare `cargo run` against a clean Mongo still scans the dev tenant.

Why each tick instead of caching
- Tick frequency is every few hours (scan_schedule default
  "0 0 */6 * * *"). The registry call is at most 4 times a day per
  agent — cheap.
- Caching introduces a staleness window for newly provisioned
  tenants. The whole point of registry integration is to pick them
  up fast.

Startup log
- Includes "tenant source=tenant-registry" or "env" so operators can
  tell at a glance which mode the scheduler is in.

Test plan
- cargo fmt --all clean
- cargo clippy -p compliance-agent -- -D warnings clean
- cargo test -p compliance-agent --lib — 232 pass (+3 new):
    * filter_active_keeps_running_skips_frozen_archived
    * deserialize_registry_response_accepts_id_or_tenant_id (covers
      the {"id"|"tenant_id"} alias)
    * tenants_from_env_resolution (single test covering unset →
      default, csv → splits, "" → default — collapsed to one to
      avoid env-var test races)

Production
- Set TENANT_REGISTRY_URL in orca-infra alongside KEYCLOAK_URL when
  the registry is ready to serve. Until then, scheduler keeps using
  SCHEDULER_TENANT_IDS — no operator action needed.
- Future M7.4 cleanup: once tenant-registry adoption is universal,
  delete SCHEDULER_TENANT_IDS env support entirely.

Stacked on #95 (admin endpoints) since that PR added
tenant_registry_url to AgentConfig. Once #95 lands this auto-
retargets to main.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Some checks are pending

Hide all checks

CI / Check (pull_request) Successful in 8m8s

Details

CI / Detect Changes (pull_request) Has been skipped

Details

CI / Deploy Agent (pull_request) Has been skipped

Details

CI / Deploy Dashboard (pull_request) Has been skipped

Details

CI / Deploy Docs (pull_request) Has been skipped

Details

CI / Deploy MCP (pull_request) Has been skipped

Details

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin feat/m7.3-scheduler-tenant-registry-v2:feat/m7.3-scheduler-tenant-registry-v2

git checkout feat/m7.3-scheduler-tenant-registry-v2

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

critical

enhancement

high

infrastructure

performance

security

v0.3.0

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Benjamin_Boenisch sharang (Sharang Parnerkar)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sharang/compliance-scanner-agent#96