Secure /access/* management APIs and complete HTTP authz coverage#58
Merged
ScottArbeit merged 4 commits intomainfrom Jan 19, 2026
Merged
Secure /access/* management APIs and complete HTTP authz coverage#58ScottArbeit merged 4 commits intomainfrom
/access/* management APIs and complete HTTP authz coverage#58ScottArbeit merged 4 commits intomainfrom
Conversation
ScottArbeit
force-pushed
the
enhancement/access-endpoint-auth
branch
from
33cc191 to
f2e704e
Compare
added 4 commits
January 19, 2026 11:25
- Add .markdownlint.jsonc to set MD013 line length to 120 - Expand AGENTS.md with markdown and documentation guidelines - Rewrite Authentication.md: clarify auth mechanisms, add quickstart, detailed Auth0 setup, PAT usage, env vars, troubleshooting - Refactor launchSettings.json: reorder properties, enable TestAuth and admin bootstrap for DebugLocal, clean up comments
ScottArbeit
force-pushed
the
enhancement/access-endpoint-auth
branch
from
f2e704e to
c510529
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Secure
/access/*endpoints, enforce HTTP authz coverage, add bootstrap + metrics guardrails, and testsResolves #57.
Summary
This PR closes the authorization gaps across the HTTP surface and hardens
/access/*administration. It introduces full route classification (AllowAnonymous / Authenticated / Authorized), adds scope-aware admin checks for/accessmutations and listing, and supports one-time bootstrap seeding for initial SystemAdmin access. It also adds guardrails for/metrics, aligns RepoAdmin with BranchAdmin operations, and expands server tests. Documentation now covers bootstrap + TestAuth dev flow, and a manual/accessauth verification script is included.Key Changes
Startup.Server.fswith explicit classification for all routes, SignalR hub, and metrics endpoint.checkPermission.grace__authz__bootstrap__system_admin_users/groups.grace__metrics__allow_anonymouswith warning.docs/Authentication.mdwith bootstrap and TestAuth guidance; added.markdownlint.jsoncand config usage inAGENTS.md.scripts/TestAccessPathAuth.ps1to exercise/access/*auth flows under TestAuth.Manual Testing
pwsh scripts/TestAccessPathAuth.ps1GRACE_TESTING=1andgrace__authz__bootstrap__system_admin_usersset to the admin user in the script.Automated Testing
dotnet build -c Release src\Grace.slndotnet test -c Release src\Grace.slnNotes
docs/Authentication.mdnow assumes markdownlint config via.markdownlint.jsonc(MD013 = 120 chars).mainand force-pushed.