docs(adr): ADR-0073 — automation execution identity (non-human principal for user-less runs)#2318
Merged
Merged
Conversation
…pal for user-less runs) Completes the identity model (ADR-0068 unified the human surface) by adding the non-human / automation identity that user-less runs need: - Automation is a first-class identity expressed as built-in roles (`automation` org-scoped, `platform_automation` unscoped) — the ADR-0068 idiom; no anonymous run. - `runAs` becomes an authorization POSTURE (user / automation-with-RLS / system), decoupling authorization from attribution; `automation` (RLS-enforced) is the new safe default for user-less triggers, `system` (god-mode) unchanged for back-compat. - Attribution always concrete (audit actor), decoupled from record ownership so automation never silently owns the rows it writes (owner-RLS would hide them). - User-less `runAs:'user'` is a configuration error. Staged per ADR-0049: contract + seeded roles + lint completeness now (non-breaking, mirrors ADR-0068 v1); runtime wiring (attribution then RLS-enforced authorization + scopable grants) deferred to M2. Grounds the decision in how Salesforce / ServiceNow / AWS IAM / K8s / iPaaS / GitHub Actions handle automation identity. Status: Proposed — for discussion. Refs #1888, #2308; builds on ADR-0049/0057/0066/0068. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
…, defer runtime to M2 (gated on first consumer)
…se (ADR-0002); automation principal is per-env Data-Plane, cross-env is Control-Plane
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Status: Proposed — opened for discussion (not for immediate merge).
Follow-up to #1888 / #2308. #2308 made the schedule/user-less
runAs:'user'fail-open audible but deliberately left the runtime identity unchanged, because the real fix is a platform-identity decision. This ADR records it.The decision in one breath
ObjectStack conflates two axes into "is
userIdpresent?": authorization (what may the run do) and attribution (who did it). That's why a user-less scheduled run both skips into god-mode and writescreated_by = NULL. ADR-0073 separates them, in the ADR-0068 idiom:automation(org-scoped) andplatform_automation(unscoped, platform-only). No anonymous run.runAsbecomes an authorization posture:user/automation(RLS-enforced — the Salesforce "with sharing" middle, new default for user-less triggers) /system(god-mode, unchanged for back-compat).runAs:'user'is a config error.Why this shape
Grounded in how Salesforce (Automated Process user + system-with/without-sharing), ServiceNow (Run-as service account), AWS IAM (execution roles, least-privilege), Kubernetes (ServiceAccount), iPaaS (connection owner), and GitHub Actions (least-privilege token) all converge on four invariants: automation runs as a concrete non-human principal; authorization ≠ attribution; safe explicit defaults; elevation is explicit + audited.
It's a platform primitive, not a flow feature —
plugin-reports(already hand-rollingSYSTEM_CTX), audit, ADR-0057 lifecycle jobs, webhooks, and AI agents are all consumers.Staging (per ADR-0049)
runAs:'user'→ validation error). Runtime behavior unchanged.automation-default RLS-enforced authorization + scopable grants (default-broad → tighten).runAs:'system'unchanged throughout.Open questions called out in the ADR's "Alternatives" + costs. Builds on ADR-0049 / 0057 / 0066 / 0068.
🤖 Generated with Claude Code