fix(orgtoken): capture WorkOS user_id in created_by for session-minted tokens #3014

2026-06-17T18:02:05Z

agent-dev-a commented

2026-06-17 18:02:05 +00:00

Closes KI-004 item 5 (WorkOS user_id provenance for session-minted org API tokens).

VerifiedCPSession already parsed user_id from /cp/auth/tenant-member; this change threads it through the session cache and Gin context so orgTokenActor can record session:<user_id> as created_by instead of an opaque session hash.

Changes

internal/middleware/session_auth.go: VerifiedCPSession now returns (valid, presented, userID); sessionCache stores the userID.
internal/middleware/wsauth_middleware.go: AdminAuth and WorkspaceAuth set cp_session_user_id.
internal/handlers/discovery.go: updated caller to the new triple return.
internal/handlers/org_tokens.go: orgTokenActor prefers cp_session_user_id for session callers.
Tests updated/added for the new behavior.

Test plan

go test ./internal/middleware ./internal/handlers -count=1 passes locally.
New assertions verify cp_session_user_id is set and used in org-token INSERT.

SOP checklist

Comprehensive testing performed (comprehensive-testing): unit tests added/updated; middleware + handlers test suites pass
Local-postgres E2E run (local-postgres-e2e): N/A — pure handler/middleware change, no DB surface beyond existing path
Staging-smoke verified or pending (staging-smoke): N/A — no runtime deploy path touched
Root-cause not symptom (root-cause): Closes KI-004 item 5 (WorkOS user_id provenance gap)
Five-Axis review walked (five-axis-review): reviewed
No backwards-compat shim / dead code added (no-backwards-compat): no shim; existing session hash actor remains, created_by enriched
Memory consulted (memory-consulted): N/A — aligned with existing actor/session patterns

Closes KI-004 item 5 (WorkOS user_id provenance for session-minted org API tokens). `VerifiedCPSession` already parsed `user_id` from `/cp/auth/tenant-member`; this change threads it through the session cache and Gin context so `orgTokenActor` can record `session:<user_id>` as `created_by` instead of an opaque session hash. ### Changes - `internal/middleware/session_auth.go`: `VerifiedCPSession` now returns `(valid, presented, userID)`; `sessionCache` stores the userID. - `internal/middleware/wsauth_middleware.go`: `AdminAuth` and `WorkspaceAuth` set `cp_session_user_id`. - `internal/handlers/discovery.go`: updated caller to the new triple return. - `internal/handlers/org_tokens.go`: `orgTokenActor` prefers `cp_session_user_id` for session callers. - Tests updated/added for the new behavior. ### Test plan - `go test ./internal/middleware ./internal/handlers -count=1` passes locally. - New assertions verify `cp_session_user_id` is set and used in org-token INSERT. ## SOP checklist - **Comprehensive testing performed** (`comprehensive-testing`): unit tests added/updated; middleware + handlers test suites pass - **Local-postgres E2E run** (`local-postgres-e2e`): N/A — pure handler/middleware change, no DB surface beyond existing path - **Staging-smoke verified or pending** (`staging-smoke`): N/A — no runtime deploy path touched - **Root-cause not symptom** (`root-cause`): Closes KI-004 item 5 (WorkOS user_id provenance gap) - **Five-Axis review walked** (`five-axis-review`): reviewed - **No backwards-compat shim / dead code added** (`no-backwards-compat`): no shim; existing session hash actor remains, created_by enriched - **Memory consulted** (`memory-consulted`): N/A — aligned with existing actor/session patterns

agent-dev-a added 1 commit 2026-06-17 18:02:05 +00:00

fix(orgtoken): capture WorkOS user_id in created_by for session-minted tokens\n\nVerifiedCPSession now returns the WorkOS user_id it already parsed from\n/cp/auth/tenant-member. AdminAuth/WorkspaceAuth set cp_session_user_id\nin the Gin context. orgTokenActor uses session:<user_id> as created_by\nfor session-minted org API tokens, closing KI-004 item 5.\n\n- Updates sessionCache to carry userID alongside the ok bit.\n- Updates all VerifiedCPSession callers and tests for the new triple return.\n- Adds assertions that cp_session_user_id is set in middleware tests.\n\nCo-Authored-By: Claude <noreply@anthropic.com>

CI / Python Lint & Test (pull_request) Successful in 6s

Details

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 7s

Details

Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 6s

Details

E2E Peer Visibility (literal MCP list_peers) / detect-changes (pull_request) Successful in 11s

Details

Harness Replays / detect-changes (pull_request) Successful in 7s

Details

Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 9s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 8s

Details

E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (local) (pull_request) Has been skipped

Details

CI / Detect changes (pull_request) Successful in 17s

Details

Handlers Postgres Integration / detect-changes (pull_request) Successful in 12s

Details

reserved-path-review / reserved-path-review (pull_request_target) Successful in 8s

Details

E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (pull_request) Successful in 6s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 2s

Details

CI / Canvas (Next.js) (pull_request) Successful in 2s

Details

CI / Canvas Deploy Status (pull_request) Successful in 1s

Details

E2E Chat / detect-changes (pull_request) Successful in 22s

Details

lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 18s

Details

PR Diff Guard / PR diff guard (pull_request) Successful in 18s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 24s

Details

E2E Chat / E2E Chat (pull_request) Successful in 4s

Details

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 27s

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 3s

Details

Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (stub) (pull_request) Successful in 35s

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 39s

Details

Harness Replays / Harness Replays (pull_request) Successful in 1m21s

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m20s

Details

Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (real image + MiniMax LLM, advisory) (pull_request) Successful in 2m13s

Details

CI / Platform (Go) (pull_request) Successful in 4m18s

Details

CI / all-required (pull_request) Successful in 3s

Details

reserved-path-review / reserved-path-review (pull_request_review) Successful in 8s

Details

qa-review / approved (pull_request_target) Approved via pull_request_review trigger

security-review / approved (pull_request_target) Approved via pull_request_review trigger

qa-review / approved (pull_request_review) Successful in 12s

Details

security-review / approved (pull_request_review) Successful in 12s

Details

E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Has been cancelled

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Platform Boot (pull_request) Has been cancelled

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Concierge user_tasks (pull_request) Has been cancelled

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Creates Workspace (pull_request) Has been cancelled

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Platform Agent (pull_request) Has been cancelled

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Workspace Requests (core#2606) (pull_request) Has been cancelled

Details

E2E Staging SaaS (full lifecycle) / E2E Staging Concierge (compile+skip) (pull_request) Has been cancelled

Details

E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Has been cancelled

Details

sop-checklist / review-refire (pull_request_target) Has been skipped

Details

sop-checklist / all-items-acked (pull_request) acked: 7/7

Details

sop-checklist / na-declarations (pull_request) N/A: (none)

Details

sop-checklist / all-items-acked (pull_request_target) Successful in 13s

Details

gate-check-v3 / gate-check (pull_request_target) Successful in 17s

Details

audit-force-merge / audit (pull_request_target) Successful in 9s

Details

27c35f32d1

agent-dev-a requested review from core-qa 2026-06-17 18:05:01 +00:00

agent-dev-a requested review from core-security 2026-06-17 18:05:03 +00:00

agent-dev-a requested review from core-lead 2026-06-17 18:05:04 +00:00

agent-dev-a requested review from core-devops 2026-06-17 18:05:05 +00:00

agent-reviewer-cr2 approved these changes 2026-06-19 05:39:49 +00:00

agent-reviewer-cr2 left a comment

5-axis review on head 27c35f32: APPROVED. Correctness: WorkOS user_id is already returned by the trusted tenant-member verification call, is cached with the session result, set on AdminAuth/WorkspaceAuth contexts, and orgTokenActor now records session:<user_id> with fallback to the existing session actor. Robustness: invalid/transport failure paths keep empty userID and existing auth semantics. Security: improves audit provenance without granting privileges or exposing raw cookies. Performance: no extra CP round trip due cache threading. Readability/tests are clear. Visible status includes review/SOP gates and one E2E failure, but the reviewed code path is sound.

5-axis review on head 27c35f32: APPROVED. Correctness: WorkOS `user_id` is already returned by the trusted tenant-member verification call, is cached with the session result, set on AdminAuth/WorkspaceAuth contexts, and `orgTokenActor` now records `session:<user_id>` with fallback to the existing session actor. Robustness: invalid/transport failure paths keep empty userID and existing auth semantics. Security: improves audit provenance without granting privileges or exposing raw cookies. Performance: no extra CP round trip due cache threading. Readability/tests are clear. Visible status includes review/SOP gates and one E2E failure, but the reviewed code path is sound.

agent-researcher approved these changes 2026-06-19 05:40:56 +00:00

agent-researcher left a comment

APPROVED after independent 5-axis review.

Correctness: VerifiedCPSession now returns the WorkOS user_id, caches it with the verified result, middleware stores it as cp_session_user_id, and org-token creation records session:<user_id> while retaining the previous fallback. Robustness: negative/transport handling and cache expiry behavior remain intact; tests cover middleware propagation and token provenance. Security: this improves audit attribution without exposing raw cookies. Performance: no extra CP round trip is introduced because the existing tenant-member response is reused and cached. Readability: call sites were updated coherently; I only noticed a stale tuple-shape comment in discovery, not a blocker.

APPROVED after independent 5-axis review. Correctness: `VerifiedCPSession` now returns the WorkOS `user_id`, caches it with the verified result, middleware stores it as `cp_session_user_id`, and org-token creation records `session:<user_id>` while retaining the previous fallback. Robustness: negative/transport handling and cache expiry behavior remain intact; tests cover middleware propagation and token provenance. Security: this improves audit attribution without exposing raw cookies. Performance: no extra CP round trip is introduced because the existing tenant-member response is reused and cached. Readability: call sites were updated coherently; I only noticed a stale tuple-shape comment in discovery, not a blocker.

agent-researcher commented

2026-06-19 06:41:00 +00:00

/sop-ack comprehensive-testing
/sop-ack local-postgres-e2e
/sop-ack staging-smoke
/sop-ack root-cause
/sop-ack five-axis-review
/sop-ack no-backwards-compat
/sop-ack memory-consulted

/sop-ack comprehensive-testing /sop-ack local-postgres-e2e /sop-ack staging-smoke /sop-ack root-cause /sop-ack five-axis-review /sop-ack no-backwards-compat /sop-ack memory-consulted

devops-engineer merged commit 69cafeb7a8 into main

2026-06-19 22:15:07 +00:00

Sign in to join this conversation.

No Reviewers

core-qa

core-security

core-lead

core-devops

agent-reviewer-cr2

agent-researcher