Skip to content

docs(gate): document agent-JWT API surface + gate auth_middleware drift#1856

Merged
jaylfc merged 2 commits into
devfrom
docs/gate-agent-api
Jul 16, 2026
Merged

docs(gate): document agent-JWT API surface + gate auth_middleware drift#1856
jaylfc merged 2 commits into
devfrom
docs/gate-agent-api

Conversation

@jaylfc

@jaylfc jaylfc commented Jul 16, 2026

Copy link
Copy Markdown
Owner

The doc-gate is structural (app/route/installer/catalog file add-or-remove + dead-link invariants). It does NOT catch behavior/content drift inside existing files, so the identity epic's new agent scopes (canvas, doc-review, per-project grant access) drifted agent-coordination.md while the gate kept passing.

  • agent-coordination.md: adds an 'Agent API surface' section documenting the full scoped agent-JWT route set (project_tasks / canvas_read+write / project_doc_review / a2a) + the per-project grant model + onboarding (consent / invite).
  • doc-gate.toml: new agent-api rule so future changes to auth_middleware.py (the agent-token allowlist) require touching that doc or a Docs-Reviewed: trailer; adds docs/agent-manual/index.md to the dead-link scan.

The remaining gap (a dedicated agent-manual Projects/Canvas page the invite onboarding kit links to) is folded into invite slice S2.

… drift

The doc-gate is structural (fires on app/route/installer/catalog file add or
remove), so behavior changes inside existing route files (the identity epic's
canvas + doc-review scopes, per-project grant access) drifted the coordination
doc without tripping it. Fixes:
- agent-coordination.md now documents the full scoped agent-JWT surface
  (project_tasks, canvas_read/write, project_doc_review, a2a_send/receive) +
  the per-project grant model + how external agents onboard (consent / invite).
- doc-gate.toml: new 'agent-api' rule so changes to auth_middleware.py require
  updating that doc (or a Docs-Reviewed trailer); add docs/agent-manual/index.md
  to the referenced-paths dead-link scan.
@qodo-code-review

Copy link
Copy Markdown

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@jaylfc, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 16 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: abe6c8c0-7412-4906-b01a-19b86f9290b0

📥 Commits

Reviewing files that changed from the base of the PR and between 6d9d9f5 and 9604913.

📒 Files selected for processing (2)
  • docs/agent-coordination.md
  • docs/doc-gate.toml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/gate-agent-api

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gitar-bot

gitar-bot Bot commented Jul 16, 2026

Copy link
Copy Markdown

Important

You are using the Gitar free plan. Upgrade to unlock code review, CI analysis, auto-apply, custom automations, and more.

Gitar

@jaylfc jaylfc enabled auto-merge (squash) July 16, 2026 18:42
Comment thread docs/doc-gate.toml

[[rules]]
name = "agent-api"
when_changed = ["tinyagentos/auth_middleware.py"]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: This rule cannot fire on the change it targets — the gate only triggers on structural (add/delete) changes, not modifications.

check_doc_gate.py (lines 165-179) triggers a rule only when a matched path has git status A (added) or D (deleted), explicitly ignoring plain modifications (M) to keep the gate precise. auth_middleware.py already exists, so its allowlist edits will always be M and will never trigger this rule. The rule will only fire if auth_middleware.py is newly created or deleted — neither of which is the intended event ("the agent-token route allowlist changed").

This means the gate this PR claims to add (and that the doc text at agent-coordination.md:123 relies on) provides zero protection against allowlist edits. Either the gate engine needs a modification-aware trigger for this rule, or the claim that "the doc-gate enforces it" is incorrect. Recommend documenting the limitation, or extending the engine (e.g. a on_modify flag per rule) so this rule actually fires.

- **project_tasks** (the kanban board): `GET /api/projects/{pid}/tasks`,
`.../tasks/ready`, `.../tasks/{id}`, `.../tasks/{id}/comments` (GET + POST),
`POST .../tasks/{id}/(claim|release|close|reopen)`, and
`GET /api/projects/tasks/{id}/context`. Granting project_tasks also makes the

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SUGGESTION: Route path inconsistency — context uses a different project path shape than the other project_tasks routes.

Every other project_tasks route is documented as /api/projects/{pid}/tasks/... (lines 105-107), but this one is GET /api/projects/tasks/{id}/context — no {pid} segment, and the literal tasks sits directly under projects. This is likely a typo for /api/projects/{pid}/tasks/{id}/context. Even as documentation, an inconsistent path will mislead anyone wiring up or auditing an agent client. Verify against the actual route registration in tinyagentos/routes/ and align it.

@kilo-code-bot

kilo-code-bot Bot commented Jul 16, 2026

Copy link
Copy Markdown

Code Review Summary

Status: 2 Issues Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 1
SUGGESTION 1
Issue Details (click to expand)

WARNING

File Line Issue
docs/doc-gate.toml 47 The new agent-api rule cannot fire on the change it targets: check_doc_gate.py only triggers on add/delete (A/D) status, never on modifications (M). Since auth_middleware.py already exists, allowlist edits are M and will never trip the gate, so the claim that "the doc-gate enforces it" is false.

SUGGESTION

File Line Issue
docs/agent-coordination.md 108 Route-path inconsistency: GET /api/projects/tasks/{id}/context lacks the {pid} segment used by every other project_tasks route (/api/projects/{pid}/tasks/...). Likely a typo; verify against the actual route registration.
Files Reviewed (2 files)
  • docs/agent-coordination.md - 1 issue (SUGGESTION)
  • docs/doc-gate.toml - 1 issue (WARNING)

Fix these issues in Kilo Cloud


Reviewed by hy3:free · Input: 71K · Output: 3K · Cached: 160.6K

@jaylfc jaylfc merged commit f145ccd into dev Jul 16, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant