Skip to content

V29 Gate 7: Organization Permission Authority#26

Merged
geraldarthurdavis merged 1 commit into
version/v29from
v29/gate-7-organization-permission-authority
May 21, 2026
Merged

V29 Gate 7: Organization Permission Authority#26
geraldarthurdavis merged 1 commit into
version/v29from
v29/gate-7-organization-permission-authority

Conversation

@geraldarthurdavis

@geraldarthurdavis geraldarthurdavis commented May 21, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds the package-owned BTD organization/interface authority primitive for roles, explicit grants, wallet binding, registry read access, settlement, confirmation, source visibility, and proof roots.
  • Wires authority decisions through API/UAPI, MCP auth requirements, ChatGPT App connected-interface write admission, sandbox harness evidence, and Terminal's Authority detail section.
  • Updates V29 SPEC/DELTA/NOTES/PARITY, Terminal docs, Gate 7 checker, gate-quality CI, and focused coverage.

Validation

  • pnpm --filter @bitcode/btd typecheck
  • pnpm --filter @bitcode/api build
  • pnpm --dir packages/executions-mcp/src/mcp-server run type-check
  • pnpm --dir packages/chatgptapp exec tsc --noEmit --pretty false
  • pnpm --filter @bitcode/pipeline-hosts typecheck
  • pnpm run check:v29-gate7
  • pnpm --filter @bitcode/btd test -- --runTestsByPath __tests__/btd.test.ts
  • pnpm --filter @bitcode/btd test
  • pnpm --filter @bitcode/api exec jest --config jest.config.cjs --runTestsByPath src/routes/__tests__/btd-crypto.test.ts --runInBand
  • pnpm --dir packages/executions-mcp/src/mcp-server run test:mcp -- --runTestsByPath src/__tests__/unit/auth.test.ts --runInBand
  • pnpm --dir packages/chatgptapp exec jest --runTestsByPath src/__tests__/tools.test.ts --runInBand
  • pnpm --filter @bitcode/pipeline-hosts exec jest --config jest.config.cjs --runTestsByPath src/__tests__/asset-pack-harness.test.ts --runInBand
  • pnpm --dir uapi exec jest --runTestsByPath tests/api/readReviewRoute.test.ts tests/api/pipelineHarnessRoute.test.ts tests/terminalPipelineHarnessClient.test.ts tests/terminalDepositReadWorkbench.test.ts tests/terminalTransactionQuery.test.ts tests/terminalTransactionReadModel.test.ts tests/terminalWalletBtcOperation.test.ts tests/terminalJournalReconciliation.test.ts tests/terminalOrganizationAuthority.test.ts tests/terminalTransactionDetailCards.test.tsx tests/terminalTransactionDetailSnapshot.test.ts tests/pipelineExecutionLogHeader.test.tsx --runInBand
  • bash scripts/find-uppercase-raw-promptparts.sh
  • bash scripts/check-import-casing.sh
  • pnpm test:qa:v28:pipeline-readback
  • pnpm --filter @bitcode/pipeline-asset-pack exec jest --config jest.config.cjs --passWithNoTests --forceExit
  • pnpm --filter @bitcode/pipeline-asset-pack exec jest --config jest.config.cjs --runTestsByPath src/__tests__/reading-pipeline-observability.test.ts src/__tests__/reading-pipeline-contract.test.ts --runInBand
  • pnpm --filter @bitcode/pipeline-asset-pack exec jest --config jest.config.cjs --runTestsByPath src/__tests__/asset-pack-disclosure.test.ts src/__tests__/postprocess.test.ts src/__tests__/read-need.test.ts --runInBand
  • npm --prefix protocol-demonstration test
  • npm --prefix protocol-demonstration run test:v28-mvp-qa
  • git diff --check

@vercel

vercel Bot commented May 21, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
engi-uapi Ready Ready Preview, Comment May 21, 2026 2:47pm

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c10c2db370

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +391 to +394
const allowed =
interfaceAction &&
(role || permissionGrant) &&
walletBinding &&

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Require organization role before allowing authority decisions

The decision logic can return allowed even when organizationRole is missing, because allowed only checks (role || permissionGrant). In this case a caller can supply a matching permission grant (for example reading:request) and pass actions like request_read without any role evidence, despite this function explicitly tagging missing role as a denial reason and the spec’s fail-closed expectation for missing org role. The allow predicate should include an explicit role-present check (or otherwise make missing role a hard deny).

Useful? React with 👍 / 👎.

Adds package-owned BTD organization/interface authority decisions with holdings, read-license usage, source visibility, and proof roots.

Wires JSON-safe API/UAPI decisions, MCP required interface authority, ChatGPT App write admission, sandbox harness evidence, and Terminal Authority detail projection.

Updates V29 spec/parity/docs, gate-quality CI, Gate 7 checker, lockfile, and focused BTD/API/MCP/ChatGPT/pipeline-host/UAPI coverage.
@geraldarthurdavis
geraldarthurdavis force-pushed the v29/gate-7-organization-permission-authority branch from 74d127d to fcb6706 Compare May 21, 2026 14:46
@geraldarthurdavis
geraldarthurdavis merged commit 73c62e4 into version/v29 May 21, 2026
30 checks passed
geraldarthurdavis added a commit that referenced this pull request Jul 8, 2026
…andbox host durability

Spec (NOTES #26 + parity matrix #26–31; QA runbook cancel/sandbox):
- Exhaustive cancel law (row authority, cooperative abort, sandbox stop, UI)
- Sandbox deposit: ephemeral boxes, OIDC/token auth fail-closed, sandboxId on context

Implementation:
- POST /api/executions/[runId]/cancel + execution-cancel helper
- Deposit route polls cancel; sandbox shouldAbort + non-persistent create
- VercelSandboxPipelineHost abort/cancel outcome; assertVercelSandboxAuthAvailable
- Deposit UI Cancel run control + deposit_synthesis_cancelled analytics
- Tests for cancel API, host abort, harness result shape, provisioning
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant