feat(rbac): share knowledge bases with teams via OpenFGA reconciler#1574
Closed
sriaradhyula wants to merge 1 commit into
Closed
feat(rbac): share knowledge bases with teams via OpenFGA reconciler#1574sriaradhyula wants to merge 1 commit into
sriaradhyula wants to merge 1 commit into
Conversation
PR 3 of the 2026-05-27 fine-grained KB ReBAC plan. KB admins (anyone with `knowledge_base:<id>#can_manage`) and org admins can now share a Knowledge Base with additional teams from a dedicated panel. - New `/knowledge-bases/sharing/[id]` page hosts `KbSharingPanel`, which uses the existing `TeamMultiPicker` plus an Effective-Access callout listing reader/manager teams and org admins. - `PUT /api/rag/kbs/[id]/sharing` reconciles the team list through `reconcileKnowledgeBaseRelationships` (gated by `knowledge_base:<id>#can_manage` with `bypassForOrgAdmin: true`). - `buildKnowledgeBaseRelationshipTupleDiff` now diffs `nextSharedTeamSlugs` vs `previousSharedTeamSlugs` and emits explicit deletes for teams the operator unchecks (mirrors `reconcileAgentRelationships`). - New `knowledge_base_shared_team_grants_backfill_v1` migration walks the legacy `team_kb_ownership` Mongo collection and writes the canonical `team:<slug>#member reader knowledge_base:<id>` plus `team:<slug>#admin manager knowledge_base:<id>` tuples for every existing (team, kb) row so admins can migrate without losing access. - `schema-area-classifications.ts` reclassifies `team_kb_ownership` as a `migration` schema area to keep the registry guardrails passing. - RBAC docs (architecture / file-map / pdp-coverage-audit) describe the new sharing panel, route, and backfill migration. Tests added: `openfga-kb-shared-teams.test.ts` (reconciler diff), `sharing-route.test.ts` (BFF route), and four new cases in `agent-organization-inheritance.test.ts` for the backfill migration. Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Sri Aradhyula <sraradhy@cisco.com> Co-authored-by: Cursor <cursoragent@cursor.com>
5 tasks
Contributor
🧪 CAIPE UI Test Results✅ All tests passed 🟠 Overall Coverage: 55%
📊 Detailed Coverage
✅ Test Suites
📈 Coverage Thresholds
|
4 tasks
Prebuild Artifacts for
|
| Artifact | Image | Tag | Status | CI |
|---|---|---|---|---|
| caipe-ui | ghcr.io/cnoe-io/prebuild/caipe-ui |
feat-rbac-kb-share-with-teams-2 |
Published | CI |
Docker pull commands
docker pull ghcr.io/cnoe-io/prebuild/caipe-ui:feat-rbac-kb-share-with-teams-2These prebuild artifacts will be automatically cleaned up when the PR is closed or merged.
7 tasks
Member
Author
|
Superseded by collapsed replacement PR #1584. |
github-project-automation
Bot
moved this to Done
in CAIPE (AI Platform Engineering) Project Backlog
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PR 3 of the 2026-05-27 fine-grained KB ReBAC plan (see
docs/docs/specs/2026-05-27-fine-grained-rbac-for-withauth-routes/plan.md).KB admins (
knowledge_base:<id>#can_manage) and org admins can now share a Knowledge Base with additional teams from a dedicated panel that uses the existingTeamMultiPickerplus an Effective-Access callout./knowledge-bases/sharing/[id]page hostsKbSharingPanel. Picker mirrors how agents are shared.PUT /api/rag/kbs/[id]/sharingreconciles the team list throughreconcileKnowledgeBaseRelationships. Gated byknowledge_base:<id>#can_managewithbypassForOrgAdmin: trueso org admins (PR 1's super-grant) are always allowed.buildKnowledgeBaseRelationshipTupleDiffnow diffsnextSharedTeamSlugsvspreviousSharedTeamSlugsand emits explicit deletes for teams the operator unchecks, mirroring howreconcileAgentRelationshipshandles shared agent teams. Unchecking a team revokes both theteam:<slug>#member readerandteam:<slug>#admin managertuples in a single OpenFGA write.knowledge_base_shared_team_grants_backfill_v1walks the legacyteam_kb_ownershipMongo collection and writes the canonicalteam:<slug>#member reader knowledge_base:<id>+team:<slug>#admin manager knowledge_base:<id>tuples for every existing (team, kb) row so admins can migrate without losing access.schema-area-classifications.tsreclassifiesteam_kb_ownershipas amigrationschema area soregistry-guardrails.test.tskeeps passing.Stacked on
This PR is stacked on:
prebuild/fix/rbac-kb-org-admin-super-grant)prebuild/feat/ui-kb-tab-gates)Base branch is
prebuild/feat/ui-kb-tab-gates. Merge order: 1 → 2 → 3.Test plan
npx jest --testPathPatterns "openfga-kb-shared-teams|agent-organization-inheritance|sharing-route"— 25 passed.npx eslinton all changed files — 0 errors./knowledge-bases/sharing/<kb-id>, share with a second team, confirm a member of that team can now see the KB on/knowledge-bases.knowledge_base_shared_team_grants_backfill_v1migration in dry-run, confirm the planned tuples match the existingteam_kb_ownershipMongo rows.Assisted-by: Claude:claude-opus-4-7