vijay_admin/sentryagent-idp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(phase-4): WS5 — GitHub Actions OIDC token exchange and trust policies

Browse Source 
- POST /oidc/token: GitHub OIDC JWT exchange (bootstrap + agent-scoped modes)
- POST/GET/DELETE /oidc/trust-policies: trust policy CRUD with enforcement
- DB migration 022: oidc_trust_policies table with provider/repo/branch/agent_id
- GitHub Actions: register-agent and issue-token actions with full READMEs
- Trust policy enforcement rejects token exchanges not matching registered policies
- Bootstrap mode issues agents:write token for new agent registration without agentId

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
SentryAgent.ai Developer
2026-04-02 10:37:39 +00:00
parent 89c99b666d
commit fefbf1e3ea
15 changed files with 1432 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
src/types/oidc.ts
View File

@@ -128,6 +128,50 @@ export interface IOIDCDiscoveryDocument {
grant_types_supported: string[];
}
// ============================================================================
// GitHub OIDC Trust Policy
// ============================================================================
/**
* Supported OIDC provider identifiers.
* Currently only "github" is supported; the type is extensible.
*/
export type OIDCProvider = 'github';
/**
* Request body for registering an OIDC trust policy via POST /oidc/trust-policies.
*/
export interface ICreateTrustPolicyRequest {
/** OIDC provider. Currently only "github" is supported. */
provider: OIDCProvider;
/** GitHub repository in "org/repo" format. Only workflows in this repo may exchange tokens. */
repository: string;
/** Optional branch constraint. When omitted, any branch is allowed. */
branch?: string;
/** UUID of the agent this trust policy grants access to. */
agentId: string;
}
/**
* A persisted OIDC trust policy record.
*/
export interface IOIDCTrustPolicy {
/** UUID primary key. */
id: string;
/** OIDC provider identifier. */
provider: OIDCProvider;
/** GitHub repository (e.g. "org/repo"). */
repository: string;
/** Optional branch constraint. Null means any branch is allowed. */
branch: string | null;
/** UUID of the agent this trust policy grants access to. */
agentId: string;
/** Timestamp when the policy was created. */
createdAt: Date;
/** Timestamp when the policy was last updated. */
updatedAt: Date;
}
// ============================================================================
// Agent Info Response
// ============================================================================