Skip to content

feat(checkpoints): FGAC checkpoint routes, enforce via parent task pe… #260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jenniechung merged 5 commits into from
Jun 2, 2026
+514 −6
Merged

feat(checkpoints): FGAC checkpoint routes, enforce via parent task pe… #260

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f00efc5
feat(checkpoints): FGAC checkpoint routes, enforce via parent task pe…
jenniechung Jun 1, 2026
1358a0a
move back imports
jenniechung Jun 1, 2026
01a60e8
Add unit tests
jenniechung Jun 2, 2026
b2df61a
Merge branch 'main' into jenniechung/AGX1-302-checkpoint-route-fgac
jenniechung Jun 2, 2026
00be367
Merge branch 'main' into jenniechung/AGX1-302-checkpoint-route-fgac
jenniechung Jun 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions agentex/src/api/routes/checkpoints.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ async def put_checkpoint(
request: PutCheckpointRequest,
checkpoints_use_case: DCheckpointsUseCase,
_authorized_task_id: DAuthorizedBodyId(
AgentexResourceType.task, AuthorizedOperationType.execute, field_name="thread_id"
AgentexResourceType.task, AuthorizedOperationType.update, field_name="thread_id"
),
) -> PutCheckpointResponse:
blobs = [
Expand Down Expand Up @@ -133,7 +133,7 @@ async def put_writes(
request: PutWritesRequest,
checkpoints_use_case: DCheckpointsUseCase,
_authorized_task_id: DAuthorizedBodyId(
AgentexResourceType.task, AuthorizedOperationType.execute, field_name="thread_id"
AgentexResourceType.task, AuthorizedOperationType.update, field_name="thread_id"
),
) -> Response:
writes = [
Expand Down
20 changes: 16 additions & 4 deletions agentex/src/utils/authorization_shortcuts.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,10 +147,22 @@ async def _ensure_authorized_body_field(
body = await request.json()
field_value = body[field_name]

await authorization.check(
resource=AgentexResource(type=resource_type, selector=field_value),
operation=operation,
)
# Collapse a denied task check into 404 so callers cannot use 403 vs
# 404 to probe whether a task exists in another tenant.
# TODO: Refactor to use the canonical task body-id wrap landed by AGX1-275 / #249.
if resource_type == AgentexResourceType.task:
try:
await authorization.check(
resource=AgentexResource.task(field_value),
operation=operation,
)
except AuthorizationError:
raise ItemDoesNotExist(f"Item with id '{field_value}' does not exist.") from None
else:
await authorization.check(
resource=AgentexResource(type=resource_type, selector=field_value),
operation=operation,
)
return field_value

return Annotated[str, Depends(_ensure_authorized_body_field)]
Expand Down
Loading
Loading