fix(authz): check authorization through gateway

[deepthi-rao-scale]

Summary

• remove the local authorization-check cache from AuthorizationService.check
• route agent, task, api key, and schedule authorization checks directly through Spark
• update unit and integration tests to expect repeated authorization checks to call Spark

Why

Sharing/revoking permissions updates Spark directly, but Agentex's local authorization-check cache was not centrally managed or invalidated by Spark. A cached allow/deny could remain stale until TTL expiry, so checks now ask Spark for current permission state.

Test Plan

• uv run ruff check src/domain/services/authorization_service.py tests/unit/services/test_authorization_service_cache.py tests/integration/api/agents/test_agents_auth_api.py
• uv run --group test pytest tests/unit/api/test_authentication_cache_metrics.py tests/unit/services/test_authorization_service_cache.py tests/unit/services/test_authorization_service_logging.py tests/unit/api/test_agents_authz.py tests/unit/api/test_tasks_authz.py tests/unit/api/test_schedules_authz.py tests/unit/api/test_agent_api_keys_authz.py -q
• uv run --group test pytest tests/integration/api/agents/test_agents_auth_api.py::TestAgentsAuthAPIIntegration::test_agent_check --collect-only -q

Note: local execution of the Docker-backed integration test was blocked because Docker was unavailable in this environment; CI should run it with Docker.

Greptile Summary

This PR removes the local in-process authorization-check cache from AuthorizationService.check, routing every check call directly to the Spark gateway so that share/revoke changes are immediately visible rather than waiting for a TTL expiry.

• authorization_service.py: Drops the get_auth_cache import and removes the cache read/write blocks from check(), leaving the method as a thin pass-through to self.gateway.check.
• test_authorization_service_cache.py: New parametrized unit test covering all four resource types (agent, task, api_key, schedule) to confirm gateway.check is called on every invocation.
• test_agents_auth_api.py: Updates test_agent_check to assert one /v1/authz/check call on the second HTTP request (previously zero, thanks to the now-removed cache); test_agent_list is unchanged because list_resources was never cached.

Confidence Score: 5/5

Safe to merge — the change is a targeted removal of a stale local cache with no risk of data loss or regression in authorization decisions.

The diff is a clean deletion of ~20 lines of caching logic. The gateway call it exposed already existed and is exercised by both the new parametrized unit test and the updated integration test. The list_resources path (authz/search) was already uncached and is unaffected. No new code paths are introduced.

No files require special attention.

Important Files Changed

Filename	Overview
agentex/src/domain/services/authorization_service.py	Removed local authorization-check cache (get_auth_cache import and all cache get/set calls in check()); every authorization check now flows directly to the Spark gateway. Change is targeted and correct.
agentex/tests/unit/services/test_authorization_service_cache.py	New unit test verifying that gateway.check is called on every invocation (no caching) across all four resource types (agent, task, api_key, schedule).
agentex/tests/integration/api/agents/test_agents_auth_api.py	Updated test_agent_check to assert a second HTTP request still produces one /v1/authz/check call instead of zero, matching the new no-cache behavior. test_agent_list (list_resources path) was not modified since it already called authz/search each time.

Sequence Diagram

sequenceDiagram
    participant Client
    participant AuthorizationService
    participant SparkGateway

    Note over AuthorizationService: Before this PR
    Client->>AuthorizationService: check(resource, op) [call 1]
    AuthorizationService->>SparkGateway: gateway.check(...)
    SparkGateway-->>AuthorizationService: allowed/denied
    AuthorizationService-->>Client: result (cached locally)

    Client->>AuthorizationService: check(resource, op) [call 2]
    Note over AuthorizationService: Cache HIT – no RPC
    AuthorizationService-->>Client: cached result (possibly stale)

    Note over AuthorizationService: After this PR
    Client->>AuthorizationService: check(resource, op) [call 1]
    AuthorizationService->>SparkGateway: gateway.check(...)
    SparkGateway-->>AuthorizationService: allowed/denied
    AuthorizationService-->>Client: result

    Client->>AuthorizationService: check(resource, op) [call 2]
    AuthorizationService->>SparkGateway: gateway.check(...)
    SparkGateway-->>AuthorizationService: allowed/denied (always fresh)
    AuthorizationService-->>Client: result

Loading

_{Reviews (2): Last reviewed commit: "fix(authz): check authorization through ..." | Re-trigger Greptile}