feat(api-server): RBAC enforcement with scope-aware authorization (#1660)

## Summary

Implements specs/security/rbac-enforcement.spec.md — scope-aware RBAC
authorization for the ambient-api-server.

- **Scope-aware middleware**: Evaluates bindings against the specific
project/agent/session/credential being accessed
- **User auto-provisioning**: Creates User record from JWT claims on
first authenticated request
- **Bootstrap bindings**: project:owner on POST /projects,
credential:owner on POST /credentials
- **List filtering**: Projects, sessions, credentials filtered to
caller's authorized scope
- **Error opacity**: Singleton GET returns 404 (not 403), mutations
return opaque 403
- **Escalation prevention**: Role hierarchy enforced, internal roles
blocked, scoped to target project
- **Last-owner protection**: 409 on deleting sole owner binding
- **Credential binding**: Requires both credential:owner AND
project:owner
- **gRPC authorization**: Watch streams filtered by authorized project
IDs
- **seed-admin CLI**: Initial admin bootstrap command
- **New Project button**: Dashboard dialog with DNS-1123 validation

## Test plan

- [x] 124 e2e tests passing (idempotent, self-cleaning)
- [x] Generative escalation matrix: 43 combinations derived from
hierarchy rule
- [x] Integration tests with real RBAC middleware
- [x] Unit tests for scope extraction, permission matching, hierarchy
checks
- [x] E2e wired into CI pipeline

Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* RBAC enforcement with role hierarchies and scope-aware permissions;
list endpoints now hide/disallow items when unauthorized
  * Automatic owner bindings for newly created projects and credentials
  * Admin-seed CLI for bootstrapping an admin account
* UI: "New Project" dialog with DNS-1123 name validation and create flow
  * Credential token access now subject to RBAC controls

* **Bug Fixes**
  * Last-owner protection for role bindings
  * Partial unique username index to prevent duplicate users

* **Tests**
* Comprehensive RBAC integration tests and a new end-to-end RBAC test
suite
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

Author: 3 people

.github/workflows/e2e.yml

@@ -32,6 +32,7 @@ jobs:
       backend: ${{ steps.filter.outputs.backend }}
       operator: ${{ steps.filter.outputs.operator }}
       claude-runner: ${{ steps.filter.outputs.claude-runner }}
+      api-server: ${{ steps.filter.outputs.api-server }}
     steps:
       - name: Checkout PR code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -55,6 +56,8 @@ jobs:
               - 'components/operator/**'
             claude-runner:
               - 'components/runners/**'
+            api-server:
+              - 'components/ambient-api-server/**'
 
   e2e:
     name: End-to-End Tests
@@ -142,6 +145,8 @@ jobs:
            docker tag quay.io/ambient_code/vteam_claude_runner:latest quay.io/ambient_code/vteam_claude_runner:e2e-test) &
           pull_pids+=($!)
         fi
+        # api-server is always built from branch code (no pull fallback)
+        # because RBAC e2e tests require the branch's middleware
         for pid in "${pull_pids[@]}"; do
           wait "$pid" || exit 1
         done
@@ -186,6 +191,18 @@ jobs:
           type=gha,scope=e2e-ambient-runner
         cache-to: type=gha,mode=max,scope=e2e-ambient-runner
 
+    - name: Build api-server image
+      uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+      with:
+        context: components/ambient-api-server
+        file: components/ambient-api-server/Dockerfile
+        load: true
+        tags: quay.io/ambient_code/vteam_api_server:e2e-test
+        cache-from: |
+          type=gha,scope=api-server-amd64
+          type=gha,scope=e2e-api-server
+        cache-to: type=gha,mode=max,scope=e2e-api-server
+
     - name: Show built images
       run: docker images | grep e2e-test
 
@@ -222,6 +239,7 @@ jobs:
           quay.io/ambient_code/vteam_backend:e2e-test \
           quay.io/ambient_code/vteam_operator:e2e-test \
           quay.io/ambient_code/vteam_claude_runner:e2e-test \
+          quay.io/ambient_code/vteam_api_server:e2e-test \
           | kind load image-archive /dev/stdin --name ambient-local
         echo "All images loaded into kind cluster"
 
@@ -232,6 +250,7 @@ jobs:
         IMAGE_BACKEND: quay.io/ambient_code/vteam_backend:e2e-test
         IMAGE_OPERATOR: quay.io/ambient_code/vteam_operator:e2e-test
         IMAGE_RUNNER: quay.io/ambient_code/vteam_claude_runner:e2e-test
+        DEFAULT_API_SERVER_IMAGE: quay.io/ambient_code/vteam_api_server:e2e-test
       run: ./scripts/deploy.sh
 
     - name: Verify deployment
@@ -317,6 +336,19 @@ jobs:
         done
         ./scripts/run-tests.sh
 
+    - name: Run RBAC enforcement E2E tests
+      run: |
+        # Port-forward api-server and keycloak for RBAC tests.
+        # The test script (Phase 0.5) handles all deployment patching,
+        # JWT/authz enablement, rollout, and port-forward re-establishment.
+        kubectl port-forward -n ambient-code svc/ambient-api-server 13592:8000 &
+        kubectl port-forward -n ambient-code svc/keycloak-service 18592:8080 &
+        sleep 3
+
+        API_URL=http://localhost:13592/api/ambient/v1 \
+        KC_URL=http://localhost:18592 \
+        bash components/ambient-api-server/test/e2e/rbac_e2e_test.sh
+
     - name: Upload test results
       if: failure()
       uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6

.github/workflows/lint.yml

@@ -226,6 +226,24 @@ jobs:
           working-directory: components/ambient-api-server
           args: --timeout=5m
 
+      - name: Check OpenAPI generated code is up to date
+        run: |
+          cd components/ambient-api-server
+          make generate
+          if ! git diff --quiet pkg/api/openapi/; then
+            echo ""
+            echo "============================================"
+            echo "ERROR: Generated OpenAPI code is out of date"
+            echo "============================================"
+            echo ""
+            echo "The following files differ from what 'make generate' produces:"
+            git diff --name-only pkg/api/openapi/
+            echo ""
+            echo "Run 'cd components/ambient-api-server && make generate' and commit the result."
+            exit 1
+          fi
+          echo "OpenAPI generated code is up to date."
+
   go-cli:
     runs-on: ubuntu-latest
     needs: detect-changes

components/ambient-api-server/cmd/ambient-api-server/environments/e_integration_testing.go

@@ -33,7 +33,6 @@ func (e *IntegrationTestingEnvImpl) OverrideConfig(c *config.ApplicationConfig)
 }
 
 func (e *IntegrationTestingEnvImpl) OverrideServices(s *pkgenv.Services) error {
-	s.SetService("RBACMiddleware", nil)
 	return nil
 }
 
@@ -52,7 +51,7 @@ func (e *IntegrationTestingEnvImpl) Flags() map[string]string {
 		"api-base-url":                    "https://api.integration.openshift.com",
 		"enable-https":                    "false",
 		"enable-metrics-https":            "false",
-		"enable-authz":                    "true",
+		"enable-authz":                    "false",
 		"debug":                           "false",
 		"enable-mock":                     "true",
 		"api-server-bindaddress":          "localhost:0",

components/ambient-api-server/cmd/ambient-api-server/environments/e_production.go

@@ -37,7 +37,6 @@ func (e *ProductionEnvImpl) OverrideConfig(c *config.ApplicationConfig) error {
 		c.Auth.JwkCertURL = defaultJwkCertURL
 	}
 
-	c.Auth.JwkCertFile = ""
 	return nil
 }
 

components/ambient-api-server/cmd/ambient-api-server/main.go

@@ -36,6 +36,7 @@ func main() {
 		pkgcmd.NewMigrateCommand("ambient-api-server"),
 		pkgcmd.NewServeCommand(localapi.GetOpenAPISpec),
 		localcmd.NewEncryptCredentialsCommand(),
+		localcmd.NewSeedAdminCommand(),
 	)
 
 	if err := rootCmd.Execute(); err != nil {