feat(auth): add create bank validation hook#2395
Open
Sanderhoff-alt wants to merge 1 commit into
Open
Conversation
Contributor
Author
|
One design note for discussion: this PR currently implements create-bank authorization as a new, dedicated operation-validator hook. Another possible direction would be to keep reusing the existing bank-management hook surface and extend the operation enum to represent bank creation explicitly. I chose the new hook because create-bank is slightly different from ordinary bank-scoped writes: the target bank may not exist yet, so validators that assume an existing bank record or bank-scoped policy state can become awkward. That said, reusing the existing hook with a clearer operation value may be a better fit if we want to keep the extension API smaller. I think the right abstraction is worth discussing before finalizing this API shape. |
f7a5d45 to
f58145d
Compare
Add a precise operation-validator hook for bank creation, with a no-op default so deployments without custom validators keep existing behavior. Route lazy bank creation through the hook from retain, imports, MCP create_bank, and the default get_bank_profile auto-create path. This keeps create-bank authorization separate from bank-scoped write validation, which often assumes the target bank already exists. Add regression coverage for rejected creation, existing-bank skips, HTTP create/import paths, async retain, profile auto-create, and MCP create_bank.
f58145d to
6c3eeec
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add a dedicated
validate_create_bank()operation-validator hook andCreateBankContextfor authorizing bank creation before a missing bank row is inserted. The default implementation accepts everything, so deployments without a custom validator keep their existing behavior.Route lazy bank creation through the hook from retain, async retain, template/document/bank imports, MCP
create_bank, and the defaultget_bank_profile()auto-create path. Existing-bank paths skip the hook.Why
Bank creation is different from ordinary bank-scoped writes. Hooks such as
validate_bank_write()operate on an existing target bank and many extension implementations can reasonably assume the bank row already exists when checking membership, metadata, or bank-scoped policy. Evendelete_bankis still a write against an existing bank.Create-bank authorization has to happen before the bank row exists. Placing this behind a precise
validate_create_bank()hook avoids forcingvalidate_bank_write()implementations to special-case a missing target bank and keeps the create-bank capability separate from per-bank operation names.This also closes the authorization gap for lazy creation paths: retain, imports, MCP
create_bank, and directget_bank_profile()auto-create now share one creation authorization point.Compatibility
The hook defaults to
ValidationResult.accept(), matching the existing no-op behavior for deployments without a custom operation validator. Existing banks do not trigger the create-bank hook.Validation
uv run pytest hindsight-api-slim/tests/test_extensions.py::TestMemoryEngineValidation hindsight-api-slim/tests/test_mcp_tools.py::TestTagsAndBankTools hindsight-api-slim/tests/test_bank_templates.py::TestImportValidationFixes #2488