3.2 KiB
3.2 KiB
TESS-M1-002 — Provider Registry
- Issue: #707
- Branch:
feat/tess-provider-registry - Objective: Build the runtime provider registry/service boundary that derives immutable actor/tenant/channel/correlation scope server-side, fail-closes unsupported and destructive runtime operations, binds termination approval to the exact structured action, and emits correlation-safe audit events.
Plan
- Add a provider-agnostic registry in
@mosaicstack/agentover the mergedAgentRuntimeProvidercontract. - Write abuse-case tests before implementation for duplicate/unknown providers, immutable server-derived scope, capability denial, approval mismatch/absence, and audit failure.
- Implement the Gateway service that converts only authenticated
ActorTenantScopeplus trusted ingress metadata into a frozenRuntimeScope, gates capabilities and terminate approval, and records metadata-only audits. - Register the service in
AgentModule, then run focused, baseline, cold-cache, and independent-review gates.
Security Invariants
- Caller-supplied actor/tenant identity never reaches runtime providers.
- Provider capability absence and approval/audit failure deny before side effects.
- Termination approval is verified against provider, session, actor, tenant, channel, and correlation context.
- Audit events retain correlation and authority metadata but never message content or approval material.
Progress
- 2026-07-12: Created fresh worktree from
origin/mainat119f64e6; source and Tess planning/security documentation reviewed. - 2026-07-12: Security TDD added registry and gateway abuse tests before implementation.
- 2026-07-12: Implemented
AgentRuntimeProviderRegistryand gatewayRuntimeProviderService; registered both inAgentModuleand documented the internal boundary. - 2026-07-12: Independent review found two audit correctness issues. Remediated completion-audit failure handling and provider execution failures: pre-invocation denials are audited as
denied; post-invocation errors asfailed; completion audit failure does not misreport a completed effect as retryable. - 2026-07-12: Final independent security review: no findings. Final code review had one false positive:
@mosaicstack/typesis already declared inpackages/agent/package.json.
Tests
- TDD red:
pnpm --filter @mosaicstack/gateway test -- runtime-provider-registry.service.test.tsfailed before both audit remediations, as expected. - Focused: package registry 2 tests and gateway security boundary 7 tests pass.
- Cold-cache: removed this worktree's
node_modules, thenpnpm install --offline --frozen-lockfile --store-dir /home/jarvis/.local/share/pnpm/storepassed. - Cold-cache baseline:
TURBO_FORCE=true pnpm typecheck— 42/42 tasks passed;TURBO_FORCE=true pnpm lint— 23/23 tasks passed;TURBO_FORCE=true pnpm format:checkpassed;TURBO_FORCE=true pnpm test— 42/42 tasks passed (gateway 548 tests passed, 11 intentionally skipped).
Risks / Blockers
- The canonical durable approval implementation is currently command-specific. This card introduces a fail-closed runtime approval verifier boundary so a runtime provider cannot terminate until its exact-action verifier is wired; later provider implementations cannot bypass it.