mosaicstack/stack
1
0
Fork 0
Code Issues 36 Pull Requests 1 Actions Packages Projects Releases 15 Wiki Activity
Files
940ae3cc417cba908520f7d2b5c75ef9adb7f57c
stack/docs/scratchpads/462-fed-m3-06-get-verb.md
jason.woltje 838701bde2
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
feat(#462): add federation get verb (#683) 
FED-M3-06 get verb. Trust boundary mirrors M3-05 AND-intersect (note returned only when owned by subject AND on an authorized mission). Reviewed (review-of-record APPROVE, head 80a259b2) + green PR-event CI 1620.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 03:44:54 +00:00

2.2 KiB
Raw Blame History

Scratchpad — FED-M3-06 get verb

Objective

Implement POST /api/federation/v1/get/:resource/:id for M3 inbound federation reads.

Scope

  • apps/gateway/src/federation/server/verbs/get.controller.ts
  • apps/gateway/src/federation/server/verbs/get-query.service.ts
  • Unit coverage for controller pipeline + query service RBAC guardrails
  • Register controller/service in FederationModule

Plan

  1. Mirror the list verb pipeline: FederationAuthGuardFederationScopeService → read-only query service.
  2. Return one _source: "local" tagged item on success.
  3. Return federation error envelopes:
    • 404 not_found when the resource id does not exist.
    • 403 scope_violation when the row exists but falls outside native RBAC/scope intersection.
    • 400 invalid_request for malformed ids/scope requests.
  4. Keep read audit persistence deferred to M4; no body or response persistence in M3.

Verification Evidence

  • Rebased onto origin/main at 86e106fcc9a1dfa3a18f7846bb477be128794aad after M3-05 merged; resolved FederationModule by registering both list and get verb controllers/services.
  • Review-change coverage added for comment 15971:
    • get note access now requires subject ownership AND authorized mission intersection.
    • missing federation context returns structured 401 unauthorized envelope.
    • unsupported get resources fail closed with structured denial.
    • PGlite regressions cover cross-user note exclusion and subject-note unauthorized-mission exclusion.
  • pnpm --filter @mosaicstack/gateway test -- src/federation/server/verbs/__tests__/get.controller.spec.ts src/federation/server/verbs/__tests__/get-query.service.spec.ts — pass (2 files / 17 tests; re-run after review changes).
  • pnpm --filter @mosaicstack/gateway build — pass (re-run after review changes).
  • pnpm build — pass (23 successful tasks before review changes).
  • pnpm typecheck — pass (41 successful tasks; re-run after review changes).
  • pnpm lint — pass (23 successful tasks; re-run after review changes).
  • pnpm format:check — pass (re-run after review changes).
  • ~/.config/mosaic/tools/codex/codex-code-review.sh --uncommitted — approve, 0 findings after review changes.
Reference in New Issue View Git Blame Copy Permalink