mosaicstack/stack
1
0
Fork 0
Code Issues 22 Pull Requests 1 Actions Packages Projects Releases 14 Wiki Activity

US-007: mosaic-as agent registration endpoint + scoped/revocable tokens #540

New Issue
Closed
opened 2026-06-16 00:46:24 +00:00 by jason.woltje · 0 comments
jason.woltje commented 2026-06-16 00:46:24 +00:00
Owner
Copy Link

Implements US-007 from mosaic-comms PRD (M-AGENT-REG).

Acceptance Criteria

  • POST /bridge/v1/agents {alias, host, display_name?} mints/ensures the @agent-- virtual user and returns {agent_user_id, bridge_token} (HMAC/bearer auth).
  • A manual revoke path exists from day one.
  • Registration reconciles identity (mosaic-as) with runtime binding (agent-comms config.json) so the registry never advertises phantom agents.
  • Typecheck and lint pass; new endpoint has a *.dto.ts boundary.

Design (deployment-agnostic, no new infra)

  • Persist per-agent token hashes (sha256 of high-entropy random tokens) in Matrix account_data on the AS sender user — homeserver is already a hard, persistent dependency; survives pod restart with zero PVC/volume/env.
  • Per-agent minted tokens (magt_*) are scoped: usable only to act as their own agent on /bridge/v1/messages|typing; host bridgeTokens stay unscoped.
  • New endpoints (host-token gated): POST /bridge/v1/agents (register+mint), POST /bridge/v1/agents/revoke (revoke all tokens for an agent), GET /bridge/v1/agents (list active — reconciliation source).

Repo: mosaicstack/stack — apps/appservice + packages/appservice.

Implements US-007 from mosaic-comms PRD (M-AGENT-REG). ## Acceptance Criteria - POST /bridge/v1/agents {alias, host, display_name?} mints/ensures the @agent-<alias>-<host> virtual user and returns {agent_user_id, bridge_token} (HMAC/bearer auth). - A manual revoke path exists from day one. - Registration reconciles identity (mosaic-as) with runtime binding (agent-comms config.json) so the registry never advertises phantom agents. - Typecheck and lint pass; new endpoint has a *.dto.ts boundary. ## Design (deployment-agnostic, no new infra) - Persist per-agent token **hashes** (sha256 of high-entropy random tokens) in Matrix **account_data** on the AS sender user — homeserver is already a hard, persistent dependency; survives pod restart with zero PVC/volume/env. - Per-agent minted tokens (magt_*) are **scoped**: usable only to act as their own agent on /bridge/v1/messages|typing; host bridgeTokens stay unscoped. - New endpoints (host-token gated): POST /bridge/v1/agents (register+mint), POST /bridge/v1/agents/revoke (revoke all tokens for an agent), GET /bridge/v1/agents (list active — reconciliation source). Repo: mosaicstack/stack — apps/appservice + packages/appservice.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
jason.woltje
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mosaicstack/stack#540
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?