fix(mcp): grant rollout verifier read tool
All checks were successful
Code Review / ai-code-review (push) Successful in 9s
run-migration / migrate (push) Successful in 10s
CD Pipeline / tests (push) Successful in 1m14s
CD Pipeline / build-and-deploy (push) Successful in 3m35s
CD Pipeline / post-deploy-checks (push) Successful in 1m37s
All checks were successful
Code Review / ai-code-review (push) Successful in 9s
run-migration / migrate (push) Successful in 10s
CD Pipeline / tests (push) Successful in 1m14s
CD Pipeline / build-and-deploy (push) Successful in 3m35s
CD Pipeline / post-deploy-checks (push) Successful in 1m37s
This commit is contained in:
@@ -0,0 +1,77 @@
|
|||||||
|
-- T16 verifier gap: allow rollout status evidence through AwoooP MCP Gateway.
|
||||||
|
-- Boundary: read-only scope only; no restart/delete/scale grant is added here.
|
||||||
|
|
||||||
|
SELECT set_config('app.project_id', 'awoooi', FALSE);
|
||||||
|
|
||||||
|
WITH upsert_tool AS (
|
||||||
|
INSERT INTO awooop_mcp_tool_registry (
|
||||||
|
project_id,
|
||||||
|
tool_name,
|
||||||
|
tool_type,
|
||||||
|
description,
|
||||||
|
allowed_scopes,
|
||||||
|
environment_tags,
|
||||||
|
is_active,
|
||||||
|
updated_at
|
||||||
|
)
|
||||||
|
VALUES (
|
||||||
|
'awoooi',
|
||||||
|
'k8s_watch_rollout',
|
||||||
|
'mcp_server',
|
||||||
|
'Kubernetes deployment rollout status read',
|
||||||
|
'["read"]'::jsonb,
|
||||||
|
'{"env": "prod"}'::jsonb,
|
||||||
|
TRUE,
|
||||||
|
NOW()
|
||||||
|
)
|
||||||
|
ON CONFLICT (project_id, tool_name)
|
||||||
|
DO UPDATE SET
|
||||||
|
description = EXCLUDED.description,
|
||||||
|
allowed_scopes = EXCLUDED.allowed_scopes,
|
||||||
|
environment_tags = EXCLUDED.environment_tags,
|
||||||
|
is_active = TRUE,
|
||||||
|
updated_at = NOW()
|
||||||
|
RETURNING tool_id
|
||||||
|
),
|
||||||
|
grant_agents(agent_id) AS (
|
||||||
|
VALUES
|
||||||
|
('pre_decision_investigator'),
|
||||||
|
('post_execution_verifier')
|
||||||
|
),
|
||||||
|
upsert_grants AS (
|
||||||
|
INSERT INTO awooop_mcp_grants (
|
||||||
|
project_id,
|
||||||
|
agent_id,
|
||||||
|
tool_id,
|
||||||
|
granted_by,
|
||||||
|
granted_scopes,
|
||||||
|
expires_at,
|
||||||
|
is_revoked,
|
||||||
|
revoked_at,
|
||||||
|
revoked_by
|
||||||
|
)
|
||||||
|
SELECT
|
||||||
|
'awoooi',
|
||||||
|
grant_agents.agent_id,
|
||||||
|
upsert_tool.tool_id,
|
||||||
|
'migration:t16_rollout_verifier_seed',
|
||||||
|
'["read"]'::jsonb,
|
||||||
|
NULL,
|
||||||
|
FALSE,
|
||||||
|
NULL,
|
||||||
|
NULL
|
||||||
|
FROM upsert_tool
|
||||||
|
CROSS JOIN grant_agents
|
||||||
|
ON CONFLICT (project_id, agent_id, tool_id)
|
||||||
|
DO UPDATE SET
|
||||||
|
granted_scopes = EXCLUDED.granted_scopes,
|
||||||
|
expires_at = NULL,
|
||||||
|
is_revoked = FALSE,
|
||||||
|
revoked_at = NULL,
|
||||||
|
revoked_by = NULL
|
||||||
|
RETURNING grant_id
|
||||||
|
)
|
||||||
|
SELECT
|
||||||
|
'k8s_watch_rollout_read_grants' AS seed,
|
||||||
|
(SELECT count(*) FROM upsert_tool) AS tool_rows,
|
||||||
|
(SELECT count(*) FROM upsert_grants) AS grant_rows;
|
||||||
@@ -0,0 +1,24 @@
|
|||||||
|
-- Roll back T16 rollout verifier read grant seed.
|
||||||
|
|
||||||
|
SELECT set_config('app.project_id', 'awoooi', FALSE);
|
||||||
|
|
||||||
|
UPDATE awooop_mcp_grants
|
||||||
|
SET
|
||||||
|
is_revoked = TRUE,
|
||||||
|
revoked_at = NOW(),
|
||||||
|
revoked_by = 'migration:t16_rollout_verifier_seed_down'
|
||||||
|
WHERE project_id = 'awoooi'
|
||||||
|
AND agent_id IN ('pre_decision_investigator', 'post_execution_verifier')
|
||||||
|
AND tool_id IN (
|
||||||
|
SELECT tool_id
|
||||||
|
FROM awooop_mcp_tool_registry
|
||||||
|
WHERE project_id = 'awoooi'
|
||||||
|
AND tool_name = 'k8s_watch_rollout'
|
||||||
|
);
|
||||||
|
|
||||||
|
UPDATE awooop_mcp_tool_registry
|
||||||
|
SET
|
||||||
|
is_active = FALSE,
|
||||||
|
updated_at = NOW()
|
||||||
|
WHERE project_id = 'awoooi'
|
||||||
|
AND tool_name = 'k8s_watch_rollout';
|
||||||
Reference in New Issue
Block a user