Skip to content

Commit a4519c6

Browse files
committed
update AGENTs.md and makefile
1 parent 698aebd commit a4519c6

2 files changed

Lines changed: 9 additions & 5 deletions

File tree

AGENTS.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -15,10 +15,10 @@ RLS policies filter database rows based on JWT claims passed via PostgREST, ensu
1515

1616
### Policy Patterns
1717

18-
**Direct Policies**: Tables with direct RLS use the `match_scope()` function to evaluate JWT claims against row attributes (tags, agents, names, id).
18+
**Direct Policies**: Tables with direct RLS use the `__scope` array column and compare it against JWT claims.
1919

20-
- Examples: `config_items`, `canaries`, `components`, `playbooks`
21-
- Policy checks row attributes directly using `match_scope(jwt_claims, row.tags, row.agent_id, row.name, row.id)`
20+
- Examples: `config_items`, `canaries`, `components`, `playbooks`, `views`
21+
- Policy checks scope overlap using `COALESCE(__scope, '{}'::uuid[]) && rls_scope_access()` and wildcard via `rls_has_wildcard('<type>')`.
2222

2323
**Inherited Policies**: Child tables inherit access control from their parent using `EXISTS` clauses.
2424

@@ -29,7 +29,7 @@ RLS policies filter database rows based on JWT claims passed via PostgREST, ensu
2929

3030
1. Add RLS enable logic to `@views/9998_rls_enable.sql`
3131
- Enable RLS on the table
32-
- Create the policy (either direct with `match_scope()` or inherited with `EXISTS`)
32+
- Create the policy (either direct with `__scope` overlap or inherited with `EXISTS`)
3333
2. Add counterpart disable logic to `@views/9999_rls_disable.sql`
3434
- Disable RLS on the table
3535
- Drop the policy
@@ -42,7 +42,7 @@ RLS policies filter database rows based on JWT claims passed via PostgREST, ensu
4242

4343
The RLS policies work by injecting JWT claims into PostgreSQL session variables via `request.jwt.claims`. The flow is:
4444

45-
- Go code builds an RLS Payload (scopes for config, component, playbook, canary, view) in `@rls/payload.go`
45+
- Go code builds an RLS Payload (scope UUIDs + wildcard scopes) in `@rls/payload.go`
4646
- `SetPostgresSessionRLS()` serializes the Payload to JSON and executes: `SET request.jwt.claims TO <json>`
4747
- PostgreSQL RLS policies read `(current_setting('request.jwt.claims')::jsonb)` to enforce access control
4848

Makefile

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,10 @@ ginkgo:
1212
go install github.com/onsi/ginkgo/v2/ginkgo
1313

1414
test: ginkgo
15+
# cleanup git directories that were downloaded from previous test run
16+
# cuz we don't want to run their unit tests
17+
rm -rf tests/e2e/exec-checkout
18+
1519
ginkgo -r -v --skip-package=tests/e2e
1620

1721
.PHONY: test-e2e

0 commit comments

Comments
 (0)