feat(catalog): enforce add-on admission gate + carry provisions_scopes#33
Open
piersdd wants to merge 1 commit into
Open
feat(catalog): enforce add-on admission gate + carry provisions_scopes#33piersdd wants to merge 1 commit into
piersdd wants to merge 1 commit into
Conversation
Mirror the registry admission gate at catalog-build time so violations fail CI before R2 upload. Add-on sources must be first-party, declare scopes within the reviewed allowlist, and keep credential scopes a subset of the provisions_scopes envelope. - build-catalog.js: assertAddOnAdmission() on add_on entries; carry provisions_scopes through addOnToCatalogEntry into the served catalog. - catalog-entry schema: add provisions_scopes. - sync vendored add-on schema. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CI fail-fast mirror of the registry add-on admission gate, so violations fail the catalog build before R2 upload.
What
build-catalog.js:assertAddOnAdmission()onadd_onentries — first-party only, scopes within the reviewed allowlist, credential scopes a subset of theprovisions_scopesenvelope. Carriesprovisions_scopesthroughaddOnToCatalogEntryinto the served catalog.provisions_scopes.The allowlist mirrors the canonical gate in the registry worker.
Test
Verified live against throwaway add-on sources: a valid first-party add-on flows into the catalog with
provisions_scopes; allowlist / third-party / subset violations each fail the build. Clean build = 70 entries.🤖 Generated with Claude Code