feat(federation): scope schema validator [FED-M2-03] #489

jason.woltje · 2026-04-22T01:59:42Z

jason.woltje commented

2026-04-22 01:59:42 +00:00

Summary

Pure validator for federation grant scope objects per PRD §8.1. Independent of CA / DB / NestJS wiring — those land in M2-06.

What's in this PR

apps/gateway/src/federation/scope-schema.ts — Zod schema, parseFederationScope, FederationScope type, FederationScopeError
FEDERATION_RESOURCE_VALUES closed allowlist of federation resources (extends in M3+)
Sensitive-resource warning for credentials / api_keys via console.warn (full gating in M2-06)
18 unit tests covering valid/invalid scopes, defaults, intersection guards, range bounds, sentinel warning

Decisions to confirm before M2-06 wires this up

Zod v4 .issues API: Gateway uses Zod ^4.3.6. In Zod v4, the error issues array is accessed via error.issues (not error.errors as in v3). The parser uses this correctly.
filters key type: filters is typed as Record<string, ResourceFilterSchema> (not Record<FederationResource, ...>) to avoid TS strictness issues with optional record keys. The superRefine cross-check enforces filter keys must be in resources at runtime.
include_teams not UUID-validated: Per PRD §8.3, team IDs are arbitrary BetterAuth strings (not UUIDs). The schema accepts string[].
No DTO file created: This is a pure validator/schema module, not a module boundary. DTOs will be added in M2-06 when the NestJS controller is wired.

Test plan

Vitest 18/18 green
typecheck green
lint green
format:check green
CI green

Refs #461

## Summary Pure validator for federation grant scope objects per PRD §8.1. Independent of CA / DB / NestJS wiring — those land in M2-06. ## What's in this PR - `apps/gateway/src/federation/scope-schema.ts` — Zod schema, `parseFederationScope`, `FederationScope` type, `FederationScopeError` - `FEDERATION_RESOURCE_VALUES` closed allowlist of federation resources (extends in M3+) - Sensitive-resource warning for `credentials` / `api_keys` via `console.warn` (full gating in M2-06) - 18 unit tests covering valid/invalid scopes, defaults, intersection guards, range bounds, sentinel warning ## Decisions to confirm before M2-06 wires this up 1. **Zod v4 `.issues` API**: Gateway uses Zod ^4.3.6. In Zod v4, the error issues array is accessed via `error.issues` (not `error.errors` as in v3). The parser uses this correctly. 2. **`filters` key type**: `filters` is typed as `Record<string, ResourceFilterSchema>` (not `Record<FederationResource, ...>`) to avoid TS strictness issues with optional record keys. The `superRefine` cross-check enforces filter keys must be in `resources` at runtime. 3. **`include_teams` not UUID-validated**: Per PRD §8.3, team IDs are arbitrary BetterAuth strings (not UUIDs). The schema accepts `string[]`. 4. **No DTO file created**: This is a pure validator/schema module, not a module boundary. DTOs will be added in M2-06 when the NestJS controller is wired. ## Test plan - [x] Vitest 18/18 green - [x] typecheck green - [x] lint green - [x] format:check green - [ ] CI green Refs #461

jason.woltje added 1 commit 2026-04-22 02:09:44 +00:00

feat(federation): scope JSON schema and validator [FED-M2-03]

ci/woodpecker/pr/ci Pipeline was successful

Details

ci/woodpecker/push/ci Pipeline was successful

Details

22a0dc92cd

Pure Zod-based validator for federation grant scope objects per PRD §8.1.
Independent of CA, DB, and NestJS wiring — those land in M2-06.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

jason.woltje merged commit 7d7cf012f0 into main

2026-04-22 02:31:14 +00:00

jason.woltje referenced this issue from a commit

2026-04-22 02:31:15 +00:00

feat(federation): scope schema validator [FED-M2-03] (#489)

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaicstack/stack#489