Skip to content

feat(catalog): enforce add-on admission gate + carry provisions_scopes#33

Open
piersdd wants to merge 1 commit into
mainfrom
feat/add-on-provisions-scopes
Open

feat(catalog): enforce add-on admission gate + carry provisions_scopes#33
piersdd wants to merge 1 commit into
mainfrom
feat/add-on-provisions-scopes

Conversation

@piersdd

@piersdd piersdd commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

CI fail-fast mirror of the registry add-on admission gate, so violations fail the catalog build before R2 upload.

What

  • build-catalog.js: assertAddOnAdmission() on add_on entries — first-party only, scopes within the reviewed allowlist, credential scopes a subset of the provisions_scopes envelope. Carries provisions_scopes through addOnToCatalogEntry into the served catalog.
  • catalog-entry schema: adds provisions_scopes.
  • Synced vendored add-on schema.

The allowlist mirrors the canonical gate in the registry worker.

Test

Verified live against throwaway add-on sources: a valid first-party add-on flows into the catalog with provisions_scopes; allowlist / third-party / subset violations each fail the build. Clean build = 70 entries.

🤖 Generated with Claude Code

Mirror the registry admission gate at catalog-build time so violations
fail CI before R2 upload. Add-on sources must be first-party, declare
scopes within the reviewed allowlist, and keep credential scopes a subset
of the provisions_scopes envelope.

- build-catalog.js: assertAddOnAdmission() on add_on entries; carry
  provisions_scopes through addOnToCatalogEntry into the served catalog.
- catalog-entry schema: add provisions_scopes.
- sync vendored add-on schema.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant