Skip to content

feat(auth): add create bank validation hook#2395

Open
Sanderhoff-alt wants to merge 1 commit into
vectorize-io:mainfrom
Sanderhoff-alt:auth-create-bank-validation-hook
Open

feat(auth): add create bank validation hook#2395
Sanderhoff-alt wants to merge 1 commit into
vectorize-io:mainfrom
Sanderhoff-alt:auth-create-bank-validation-hook

Conversation

@Sanderhoff-alt

@Sanderhoff-alt Sanderhoff-alt commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Summary

Add a dedicated validate_create_bank() operation-validator hook and CreateBankContext for authorizing bank creation before a missing bank row is inserted. The default implementation accepts everything, so deployments without a custom validator keep their existing behavior.

Route lazy bank creation through the hook from retain, async retain, template/document/bank imports, MCP create_bank, and the default get_bank_profile() auto-create path. Existing-bank paths skip the hook.

Why

Bank creation is different from ordinary bank-scoped writes. Hooks such as validate_bank_write() operate on an existing target bank and many extension implementations can reasonably assume the bank row already exists when checking membership, metadata, or bank-scoped policy. Even delete_bank is still a write against an existing bank.

Create-bank authorization has to happen before the bank row exists. Placing this behind a precise validate_create_bank() hook avoids forcing validate_bank_write() implementations to special-case a missing target bank and keeps the create-bank capability separate from per-bank operation names.

This also closes the authorization gap for lazy creation paths: retain, imports, MCP create_bank, and direct get_bank_profile() auto-create now share one creation authorization point.

Compatibility

The hook defaults to ValidationResult.accept(), matching the existing no-op behavior for deployments without a custom operation validator. Existing banks do not trigger the create-bank hook.

Validation

  • uv run pytest hindsight-api-slim/tests/test_extensions.py::TestMemoryEngineValidation hindsight-api-slim/tests/test_mcp_tools.py::TestTagsAndBankTools hindsight-api-slim/tests/test_bank_templates.py::TestImportValidation

Fixes #2488

@Sanderhoff-alt

Copy link
Copy Markdown
Contributor Author

One design note for discussion: this PR currently implements create-bank authorization as a new, dedicated operation-validator hook. Another possible direction would be to keep reusing the existing bank-management hook surface and extend the operation enum to represent bank creation explicitly.

I chose the new hook because create-bank is slightly different from ordinary bank-scoped writes: the target bank may not exist yet, so validators that assume an existing bank record or bank-scoped policy state can become awkward. That said, reusing the existing hook with a clearer operation value may be a better fit if we want to keep the extension API smaller.

I think the right abstraction is worth discussing before finalizing this API shape.

@Sanderhoff-alt Sanderhoff-alt force-pushed the auth-create-bank-validation-hook branch from f7a5d45 to f58145d Compare June 30, 2026 08:58
Add a precise operation-validator hook for bank creation, with a
no-op default so deployments without custom validators keep existing
behavior.

Route lazy bank creation through the hook from retain, imports, MCP
create_bank, and the default get_bank_profile auto-create path. This
keeps create-bank authorization separate from bank-scoped write
validation, which often assumes the target bank already exists.

Add regression coverage for rejected creation, existing-bank skips,
HTTP create/import paths, async retain, profile auto-create, and MCP
create_bank.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add authorization hook for bank creation

1 participant