feat(#3300): agent lifecycle routes with permission integration#3539
Conversation
Implement agent CRUD routes with 4-stage lifecycle (Draft → Pending → Published → Archived) and fine-grained permission integration via authorizeLifecycleAction. Changes: - boost-common: Add LifecycleStage type and AgentRecord interface for agent governance state - boost-backend: Add AgentLifecycleStore (DB-backed) for persisting agent governance records - boost-backend: Add lifecycle transition validation (isValidTransition, isDeletableStage) - boost-backend: Add agent routes with permission gating: - GET /agents (boost.agent.list) - PUT /agents/:id/register (boost.agent.register) - PUT /agents/:id/promote (boost.agent.promote) - PUT /agents/:id/approve (boost.agent.approve) - PUT /agents/:id/request-unpublish (boost.agent.unpublish) - PUT /agents/:id/withdraw (boost.agent.withdraw) - DELETE /agents/:id (boost.agent.delete) - Each route uses authorizeLifecycleAction middleware with admin fallback pattern - Cascading delete documented: store removes governance record; source-specific cleanup is caller responsibility - 34 new tests covering lifecycle transitions, route handlers, and permission integration Closes #3300
Missing ChangesetsThe following package(s) are changed by this PR but do not have a changeset:
See CONTRIBUTING.md for more information about how to add changesets. Changed Packages
|
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #3539 +/- ##
==========================================
+ Coverage 53.71% 53.72% +0.01%
==========================================
Files 2264 2267 +3
Lines 86227 86435 +208
Branches 24233 24271 +38
==========================================
+ Hits 46319 46441 +122
- Misses 39609 39699 +90
+ Partials 299 295 -4
*This pull request uses carry forward flags. Click here to find out more. Continue to review full report in Codecov by Harness.
🚀 New features to boost your workflow:
|
|
🤖 Finished Review · ✅ Success · Started 1:57 AM UTC · Completed 2:09 AM UTC |
ReviewFindingsMedium
Low
Info
Previous runReviewFindingsMedium
Low
Info
|
- Widen authorizeLifecycleAction parameter from BasicPermission to Permission to support resource-scoped permissions (promote, approve, unpublish, withdraw, delete) - Add resource ref extraction from req.params.id for resource-scoped permission checks in the authorization middleware - Add agent ID validation (AGENT_ID_PATTERN) on all :id routes to prevent path traversal and invalid identifiers - Change duplicate agent registration from InputError to ConflictError (409) with DB-level PK violation handling in AgentLifecycleStore - Reject registration when user identity cannot be resolved instead of falling back to user:default/unknown - Check updateStage() return value in all transition routes to detect concurrent deletion during transitions - Add TSDoc to public interface members to fix API report warnings - Fix unresolved @link reference in AgentLifecycleStore - Add tests for invalid agent ID, missing user identity, and concurrent deletion during transition - Regenerate API reports Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: gabemontero <gmontero@redhat.com>
|
🤖 Finished Review · ✅ Success · Started 2:58 AM UTC · Completed 3:09 AM UTC |
|


Implement agent CRUD routes with 4-stage lifecycle (Draft → Pending → Published → Archived) and fine-grained permission integration via authorizeLifecycleAction.
Changes:
interface for agent governance state
persisting agent governance records
(isValidTransition, isDeletableStage)
admin fallback pattern
record; source-specific cleanup is caller responsibility
handlers, and permission integration
Closes #3300
Post-script verification
agent/3300-agent-lifecycle-routes)112eb2235f21cd45946c662381ea473c0fbb59c1..HEAD)