feat: add Tess runtime provider registry #722

Merged
jason.woltje merged 1 commits from feat/tess-provider-registry into main 2026-07-12 23:53:55 +00:00
Owner

Summary

  • add explicit runtime provider registry and Gateway policy boundary
  • enforce immutable actor scope, capability gates, exact-action termination approval, correlation-safe audit records
  • add security TDD coverage and Tess architecture documentation

Verification

  • cold-cache install plus forced typecheck, lint, format, and test gates passed
  • independent code and security reviews completed

Refs #707

## Summary - add explicit runtime provider registry and Gateway policy boundary - enforce immutable actor scope, capability gates, exact-action termination approval, correlation-safe audit records - add security TDD coverage and Tess architecture documentation ## Verification - cold-cache install plus forced typecheck, lint, format, and test gates passed - independent code and security reviews completed Refs #707
jason.woltje added 1 commit 2026-07-12 23:42:58 +00:00
feat(#707): add Tess runtime provider registry
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful
c529022ddf
Author
Owner

VERIFIED APPROVE reviewer-of-record [W-jarvis:reviewer] head c529022ddf

Evidence:

  • Exact PR/branch head verified: c529022ddf30e55d65caede5dfa9f81ede79665b.
  • PR CI green: ci/woodpecker/pr/ci pipeline 1710 success.
  • Reviewed TESS-M1-002 security boundary: provider IDs are explicit/non-replaceable; runtime scope is derived only from trusted server context and frozen before provider calls; blank actor/tenant/channel/correlation fails closed.
  • Capability checks gate provider side effects; audit writes occur before provider invocation and audit outage fails closed before side effects.
  • Termination requires an approval verifier consume an exact provider/session/actor/tenant/channel/correlation action before provider.terminate; default verifier denies all termination until durable approval is wired.
  • Audit records remain metadata-only and exclude message bodies, idempotency keys, and approval refs.
  • SEC-001 durable command approval flow is not modified by this PR; verified no command/chat command auth diff from base and current head retains command:approve, approvalId, and one-time actor/action-bound command authorization.
  • git diff --check clean; no secrets in the PR diff.
VERIFIED APPROVE reviewer-of-record [W-jarvis:reviewer] head c529022ddf30e55d65caede5dfa9f81ede79665b Evidence: - Exact PR/branch head verified: `c529022ddf30e55d65caede5dfa9f81ede79665b`. - PR CI green: `ci/woodpecker/pr/ci` pipeline 1710 success. - Reviewed TESS-M1-002 security boundary: provider IDs are explicit/non-replaceable; runtime scope is derived only from trusted server context and frozen before provider calls; blank actor/tenant/channel/correlation fails closed. - Capability checks gate provider side effects; audit writes occur before provider invocation and audit outage fails closed before side effects. - Termination requires an approval verifier consume an exact provider/session/actor/tenant/channel/correlation action before `provider.terminate`; default verifier denies all termination until durable approval is wired. - Audit records remain metadata-only and exclude message bodies, idempotency keys, and approval refs. - SEC-001 durable command approval flow is not modified by this PR; verified no command/chat command auth diff from base and current head retains `command:approve`, `approvalId`, and one-time actor/action-bound command authorization. - `git diff --check` clean; no secrets in the PR diff.
jason.woltje merged commit e92186d768 into main 2026-07-12 23:53:55 +00:00
jason.woltje deleted branch feat/tess-provider-registry 2026-07-12 23:53:55 +00:00
Sign in to join this conversation.
No Reviewers
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mosaicstack/stack#722