feat: advanced enterprise features (fn-26-30)#34
Merged
Conversation
…egation - Add ActorClaim struct and act/spiffe_id fields to OidcClaims - Add exchange_token() method for RFC 8693 token exchange flow - Add POST /token/exchange endpoint (form-encoded) - Add max_delegation_depth config with default of 5 - Add decoding_key() to KeyManager for self-verification - Add UnsupportedGrantType, InvalidGrant, DelegationDepthExceeded errors - Wire act claim population in standard exchange() path
- Wire init_telemetry_with_sink + graceful shutdown in MCP server main.rs - Emit audit events in handle_tool_call for success, denied, and unknown tools - Emit audit events in jwt_auth_middleware on auth failures - Update telemetry schema with mcp:* action values - Replace SDK local EventSink trait with re-export from auths-telemetry - Add emit_audit() convenience helper in auths-sdk audit module
- Add spiffe feature flag with x509-parser dependency - Implement spiffe.rs: TrustBundle parsing, SVID verification, SPIFFE ID extraction - Extend ExchangeRequest with svid_pem field (feature-gated) - Extend BridgeConfig with trust bundle path and allowed trust domains - Cache parsed trust bundle in BridgeState - Integrate SPIFFE verification into issuer.exchange() flow - Add SpiffeError and SpiffeTrustDomainNotAllowed error variants - Wire SPIFFE result through routes.rs token exchange handler
Add RequiresApproval outcome to the four-valued policy engine, ApprovalGate expression with compile-time validation, scoped request hashing (identity/ scoped/full), and approval attestation checking during evaluation. - Extend Outcome enum with RequiresApproval (propagated through evaluate_strict) - Add ApprovalGate expr/compiled/eval with And/Or/Not combinator semantics - Add ApprovalAttestation type and compute_request_hash (blake3) - Add ApprovalScope enum controlling hash binding granularity - Add git-ref storage for approval requests (pending/consumed) - Add ApprovalError to SDK, build_approval_attestation workflow - Add CLI approval list/grant subcommands - Update all external Outcome match sites (policy_diff, radicle, CLI) - Add 21 integration tests covering all approval gate behavior - Add E2E tests for CLI approval commands
- auths-scim crate: protocol types, filter parser, patch ops, mappings - auths-scim-server: axum server with deadpool-postgres, bearer auth, CRUD handlers - CLI integration: auths scim serve/quickstart/test-connection/tenants commands - Integration tests: discovery endpoints and protocol auth enforcement
- Add auths-jwt crate with shared OidcClaims, ActorClaim, WitnessQuorumClaim types - Replace auths-oidc-bridge dep in auths-mcp-server with auths-jwt - Remove auths-oidc-bridge from public repo (now lives in auths-cloud) - Update deny.toml and release script batches
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
GITHUB_ENV only sets env vars for subsequent steps. The softhsm2-util call in the same step needs the var exported inline to find the custom config file.
When Pkcs11KeyRef and Pkcs11Signer are both created in the same process, the second C_Initialize call fails because the library is already initialized. Per PKCS#11 spec, CKR_CRYPTOKI_ALREADY_INITIALIZED is safe to ignore — the library remains usable.
batch_append_events() acquired an AdvisoryLock then called create_commit() which acquired a second lock on the same file via a new file descriptor. Since flock locks are per open-file-description, the second lock_exclusive() blocked forever waiting for the first. Split create_commit into a locked wrapper and create_commit_unlocked inner function. batch_append_events calls the unlocked variant since it already holds the lock. Also fix batch_cas_failure_returns_clear_error test which assumed batch would always lose the race (it was deadlocked before, so writer1 always won). Now both writers can compete fairly and either may get ConcurrentModification.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
OidcClaims,ActorClaim,WitnessQuorumClaim) fromauths-oidc-bridge, enabling independent publishing to crates.ioauths-cloud)auths-oidc-bridgepath dep toauths-jwtworkspace depTest plan
cargo nextest run --workspace— all 1218 tests passcargo clippy --all-targets --all-features -- -D warnings— cleancargo deny check— licenses, bans, advisories, sources all okauths-cloudworkspace compiles and e2e tests pass withauths-jwtdep