feat: add gateway action composition boundary#39
Conversation
|
I had Claude verify whether the new action composition evidence is actually emitted through the gateway audit path. Below is an update to the PR description based on the investigation: If the change affects authentication or audit behavior
Audit note: Composition evidence is injected into are not emitted as audit payload fields. The emitted decision audit event does record the composed action, for example: rather than the original bare action: This behavior is now covered by a test. Preserving the full composition evidence in emitted audit records would require a separate |
Summary
This PR adds an action-composition boundary to
basis-gateway.The change resolves a mismatch identified during action vocabulary reconciliation across the BASIS ecosystem.
Previously:
The gateway now supports both kernel-compatible requests and adapter-normalized requests. When a bare action and resource type are provided, the gateway composes a kernel-compatible action string before invoking
basis-core.This preserves the intended architecture:
The gateway remains the request assembly boundary and does not define authorization policy, protocol semantics, or action vocabulary ownership.
Checklist
Step 1 — Identify affected surfaces
Check every surface this PR touches:
src/basis_gateway/auth/)src/basis_gateway/auth/subject_mapper.py)src/basis_gateway/audit/)src/basis_gateway/readiness.py)src/basis_gateway/api/schemas.py)src/basis_gateway/config.py)src/basis_gateway/middleware/)README.md,docs/)Step 2 — Classify the change
If the change affects authentication or audit behavior
SECURITY.mdanddocs/release-readiness.mdstill holdIf the change modifies
basis-coreintegrationbasis-core/docs/public-api.md)basis_coreinternalsTests
This PR adds:
Validation completed successfully:
pytestpasses locally (326 passed)ruff checkpassesruff format --checkpassesmypy srcpasses