feat(AGX1-274): record task creator identity and FGAC migration safety#246
Draft
asherfink wants to merge 1 commit into
Draft
feat(AGX1-274): record task creator identity and FGAC migration safety#246asherfink wants to merge 1 commit into
asherfink wants to merge 1 commit into
Conversation
asherfink
force-pushed
the
asher.fink/agx1-274-task-dual-write
branch
from
13fe4b2 to
7486e5a
Compare
5 tasks
asherfink
changed the title
4 tasks
…n creation Adds two nullable creator-audit columns to the tasks table — creator_user_id and creator_service_account_id — populated from the principal context at create time. A CHECK constraint (ck_tasks_one_creator) enforces that at most one is set. This replaces the earlier dual-write draft: grants are already issued unconditionally via grant_with_retry in agents_acp_use_case.py:239, and per-account rollout routing belongs in agentex-auth (private), not in this public Apache-2.0 codebase.
asherfink
force-pushed
the
asher.fink/agx1-274-task-dual-write
branch
from
7486e5a to
b9cb26b
Compare
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related work
This stack lands per-task FGAC for AGX1-264. Merge order: 2b → 2 → 3 (scale-agentex assumes agentex-auth understands
cancelbefore sending it).cancelopParent epic: AGX1-264. Follow-ups bundled in AGX1-291.
Summary
creator_user_id/creator_service_account_idto thetaskstable, populated from the request principal onAgentTaskService.create_task(best-effort — see caveat below).CHECK ((creator_user_id IS NULL) OR (creator_service_account_id IS NULL))to enforce at-most-one creator type at the DB layer (constraint name:ck_tasks_at_most_one_creator).ix_tasks_creator_user_idandix_tasks_creator_service_account_id(CREATE INDEX CONCURRENTLY) for future "tasks created by X" lookups.Migration safety
ALTER TABLE ... ADD CONSTRAINT ... NOT VALID+ALTER TABLE ... VALIDATE CONSTRAINT— splits the operation so the briefACCESS EXCLUSIVElock doesn't have to wait on an existence scan.tasksis a high-write table; even a quick CHECK addition withoutNOT VALIDwould queue behind in-flight transactions and block readers until released.a1f73ada66c5unchanged;migration_history.txt,downgrade(), and the ORM-sideCheckConstraintinorm.pyall untouched (constraint name + predicate identical).CONCURRENTLYin anautocommit_block.migration_history.txtalso recordsfinalize_spans_task_id(a9959ebcbe98) as a drive-by — that migration was already onmainbut its history line wasn't recorded.Audit-trail caveat
Creator attribution is best-effort: tasks created outside an HTTP request context (Temporal activities, background workers, any code path that constructs
AgentTaskServicewithoutrequest.state.principal_context) will leave both columns NULL. This is intentional for v1 — the CHECK constraint allows both-NULL, and the integration testtest_no_resolvable_creator_leaves_both_columns_nullexercises this path.What changed
database/migrations/alembic/versions/2026_05_21_1508_add_task_creator_columns_a1f73ada66c5.py(new): NOT VALID-pattern migration.src/adapters/orm.py: declarativeCheckConstraintmirroring the DB constraint.src/domain/entities/tasks.py: new optional fields onTaskEntity.src/domain/services/task_service.py:_principal_fieldhelper (handles dict/pydantic principal shape from the authn proxy);create_taskreadscreator_user_id/creator_service_account_idfrom principal context.test_task_audit_columns.pyexercises a real Postgres via testcontainers (creator population, mutual-exclusion CHECK, both-NULL allowed). Existing unit/integration tests updated for the new constructor signature.Test plan
migration_lint.py— clean.test_task_audit_columns.py— 7/7 pass locally via testcontainers against real Postgres; runs in the CI unit + integration suite on every push.\d tasksshows the new columns + constraint + indexes, runANALYZEif needed.