Skip to content

feat(agents): end-to-end group-restricted agent visibility#923

Merged
aarora79 merged 2 commits intomainfrom
feat/883-922-allowed-groups-e2e
May 2, 2026
Merged

feat(agents): end-to-end group-restricted agent visibility#923
aarora79 merged 2 commits intomainfrom
feat/883-922-allowed-groups-e2e

Conversation

@aarora79
Copy link
Copy Markdown
Contributor

@aarora79 aarora79 commented May 2, 2026

Summary

Implements full-stack support for allowed_groups on agents, enabling publishers to restrict agent visibility to specific IdP groups without admin intervention. Closes #883 and closes #922.

  • Backend: Parse X-Groups header from nginx auth subrequest, enforce group-restricted filtering for non-admin broad-scoped users, add allowed_groups to AgentInfo and as a query parameter on the list endpoint, extend CLI tooling
  • Nginx: Forward X-Groups from auth server via auth_request_set in both HTTP and HTTPS proxy configs
  • Frontend: Add Visibility dropdown and Allowed Groups input to agent registration and edit forms
  • Docs: New full doc explaining the two-layer access control model (IAM scopes vs publisher-managed allowed_groups) with concrete scenarios, rewritten FAQ with correct API examples
  • Tests: Updated unit tests for admin-only fast path, new AgentInfo schema tests, fixed protocol/trust and visibility normalization tests

Test plan

  • Verified end-to-end with live registry: created engineering/hr-team groups, alice-eng/bob-hr users, public and group-restricted agents
  • Alice (engineering, broad scope) sees public agents but NOT group-restricted hr-team agents
  • Bob (hr-team, broad scope) sees both public and group-restricted hr-team agents
  • pbuser (narrow scope) sees only agents in their IAM scope
  • Admin sees all agents regardless of visibility
  • ?allowed_groups=hr-team filter works correctly for authorized and unauthorized users
  • Unit tests pass (excluding 4 pre-existing failures on main)
  • CI pipeline passes

aarora79 added 2 commits May 2, 2026 17:05
@aarora79
feat(agents): end-to-end group-restricted agent visibility (#883, #922)
91f8503 
Add allowed_groups support across the full stack so agent publishers can
restrict visibility to specific IdP groups without requiring an admin to
change IAM scopes.

Backend:
- Parse X-Groups header from nginx auth subrequest in dependencies.py
- Enforce group-restricted filtering for non-admin users even when their
  IAM scope includes "all" (agent_routes.py)
- Add allowed_groups field to AgentInfo summary model
- Add allowed_groups query parameter to list endpoint
- Extend registry_client.py and registry_management.py CLI

Nginx:
- Forward X-Groups from auth server via auth_request_set in both HTTP
  and HTTPS proxy configs

Frontend:
- Add Visibility dropdown and Allowed Groups input to agent registration
  and edit forms (Dashboard.tsx, RegisterPage.tsx)

Docs:
- New full doc: agent-visibility-and-group-access.md explaining the
  two-layer access control model with concrete scenarios
- Rewritten FAQ: group-restricted-agent-visibility.md with correct curl
  commands and decision table

Tests:
- Update unit tests for admin-only fast path in list endpoint
- Add AgentInfo schema tests for allowed_groups serialization
- Fix test_schemas_protocol_trust_fields and visibility normalization
  tests for the new field
@aarora79
docs(readme): add group-restricted agent visibility to What's New
0b8565d
@aarora79 aarora79 merged commit 7484ec6 into main May 2, 2026
10 checks passed
@aarora79 aarora79 mentioned this pull request May 2, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

1 participant

@aarora79