P0 security fix. Any authenticated agent could previously read, modify, or
decommission agents belonging to other organizations.
Changes:
- IAgentListFilters: add organizationId field (forced from JWT, never from query)
- AgentRepository.findAll(): filter by organizationId when set
- AgentService: getAgentById, updateAgent, decommissionAgent — accept organizationId
and throw AuthorizationError(403) on cross-tenant access
- AgentController: extract req.user.organization_id on all 5 handlers; throw 403
if claim is absent; registerAgent forces body.organizationId from JWT claim
- OpenAPI spec: document tenant isolation rules per endpoint
- Tests: update MOCK_USER with organization_id; add 5 new missing-org-id 403 tests;
assert organizationId is passed through to service on all mutating calls
Fixes field trial failure: Test C.7 (Org Isolation).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
All findings from the inaugural LeadValidator audit resolved and
confirmed. Release gate: PASS.
VV_ISSUE_002 (BLOCKER): 15 OpenAPI specs verified present covering
all 20 route groups (46 endpoints documented in docs/openapi/)
VV_ISSUE_003 (MAJOR): Remove any types from src/db/pool.ts —
replaced pool.query shim with unknown[] + Object.defineProperty,
zero any types, eslint-disable suppressions removed
VV_ISSUE_004 (MAJOR): Remove raw Pool from ScaffoldController and
HealthDetailedController — injected AgentRepository/CredentialRepository
and DbProbe interface respectively; added CredentialRepository.findActiveClientId()
VV_ISSUE_005 (MAJOR): Add unit tests for 5 untested services —
ComplianceStatusStore, EventPublisher, MarketplaceService,
OIDCTrustPolicyService, UsageService
VV_ISSUE_006 (MAJOR): Add integration tests for 7 missing route
groups — analytics, billing, tiers, webhooks, marketplace,
oidc-trust-policies, oidc-token-exchange
VV_ISSUE_001 (MINOR): Create missing design.md and tasks.md in 4
OpenSpec archives — all archives now complete
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Complete docs/engineering/ suite — 12 documents covering company overview,
system architecture, tech stack ADRs, codebase structure, service deep dives,
annotated code walkthroughs, dev setup, engineering workflow, testing strategy,
deployment/ops, SDK guide, and README index. All content verified against
source files. All 82 tasks in openspec/changes/engineering-docs/tasks.md
marked complete.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Three remaining Phase 1 P1 deliverables:
1. Dockerfile — multi-stage build (builder + production), node:18-alpine,
non-root USER node, .dockerignore excluding secrets and dev artifacts
2. AGNTCY alignment docs (docs/agntcy/) — README and alignment.md mapping
all 6 AGNTCY domains to AgentIdP features with Phase 2/3 pending items noted
3. Node.js SDK (@sentryagent/idp-sdk) — TypeScript strict, zero any, native
fetch (Node 18+), TokenManager with 60s auto-refresh, service clients for
all 14 endpoints (agents, credentials, tokens, audit), AgentIdPError typed
error hierarchy, full README
All three changes tracked under openspec/changes/ with tasks marked complete.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds the full devops-documentation OpenSpec change implementation.
Separate from docs/developers/ — serves a different audience (operators,
not API consumers).
docs/devops/:
- README.md — index and system overview
- architecture.md — components, ports, data flow, Redis key patterns
- environment-variables.md — all 7 env vars (required + optional, formats, .env example)
- database.md — 4-table schema, indexes, constraints, migration runner
- local-development.md — docker-compose setup, health checks, startup, Dockerfile gap noted
- security.md — RSA key generation/rotation, CORS, bcrypt, secret storage guidance
- operations.md — startup order, graceful shutdown, log reference, troubleshooting
QA gates: 48/48 tasks complete. All env vars verified against source.
All table names verified against migrations. All ports verified against
docker-compose.yml. All internal links resolve.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
