Skip to content

feat(test-support): Triton-fronted trust knobs — groups_claim, extra_issuers, ExtraIssuer#239

Merged
jrosskopf merged 1 commit into
mainfrom
feat/test-support-triton-trust-knobs
Jul 3, 2026
Merged

feat(test-support): Triton-fronted trust knobs — groups_claim, extra_issuers, ExtraIssuer#239
jrosskopf merged 1 commit into
mainfrom
feat/test-support-triton-trust-knobs

Conversation

@jrosskopf

@jrosskopf jrosskopf commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

Lets an application test stand Escurel up in its deployed, Triton-fronted shape: ConfigOverrides { groups_claim, extra_issuers } (the production ESCUREL_AUTH_GROUPS_CLAIM / additional-issuer trust, already supported by escurel-auth — this only threads them through test-support), claim-aware TestIssuer minting (groups under both roles and the configured claim, so admin projection and every existing principal keep working when the knob is set), and a public ExtraIssuer for second-issuer tokens with audience arrays + custom claims (no wiremock/jsonwebtoken leak to consumers).

Consumer motivation: the datazoo-agent-template's sales-manager e2e (frontend token → Triton forward_principal minting triton_sender_groups → agent-forwarded bearer → Escurel group ACL) and peacock's NorthwindEscurel::spawn_with (follow-up PR there).

Test plan

escurel-server/tests/multi_issuer_groups.rs — one gateway, two real issuers over the wire, no mocks: second-issuer token with aud: [agents-test, escurel] (array — also pins the multi-audience verification) + groups under triton_sender_groups gains the read: [sales] group read; no group → fail-closed hidden; the primary TestIssuer principal keeps its groups under the knob (the claim-aware-minting regression). Gate green locally: fmt, clippy -D warnings, workspace tests 0 failures, release build.

🤖 Generated with Claude Code


View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

…tra_issuers, ExtraIssuer

ConfigOverrides grows groups_claim (the production
ESCUREL_AUTH_GROUPS_CLAIM knob; e.g. triton_sender_groups) and
extra_issuers (additional (issuer, jwks) trust on top of whatever
AuthMode configures) — so an application test can stand the gateway up
in its deployed shape: primary issuer + Triton's signer, groups read
from the claim Triton mints.

TestIssuer minting is claim-aware: with a custom groups_claim the
group array is emitted under BOTH roles (admin projection + every
existing caller keep working) and the configured claim — without
this, setting the knob would silently strip every test principal of
its groups. New public ExtraIssuer mints second-issuer tokens with
audience ARRAYS + custom claims, keeping wiremock/jsonwebtoken private
to the support crate (the dx.md promise).

Test plan: escurel-server/tests/multi_issuer_groups.rs — one gateway,
two real issuers over the wire; a second-issuer token with
aud [agents-test, escurel] + groups under triton_sender_groups gains
the read: [sales] group read (also pins the aud-array verification);
no group → fail-closed; the primary issuer's minted principal keeps
its groups under the knob. Gate: fmt, clippy -D warnings, workspace
tests 0 failures, release build.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@jrosskopf jrosskopf merged commit d931dc9 into main Jul 3, 2026
1 check passed
@jrosskopf jrosskopf deleted the feat/test-support-triton-trust-knobs branch July 3, 2026 18:30
jrosskopf added a commit to DataZooDE/peacock that referenced this pull request Jul 3, 2026
…+ gateway overrides (#10)

NorthwindOpts: extra (skill, markdown) / (skill, id, markdown) fixtures
merged into the Northwind seed, plus the escurel-test-support
ConfigOverrides passthrough (webhook, groups_claim, extra_issuers, …)
— so a downstream app test can stand the Northwind world up in its
deployed Triton-fronted shape. mint_token_with_groups is exposed for
consumer-owned principals (a worker's service token). spawn()
delegates to spawn_with(default).

Depends on escurel DataZooDE/escurel#239 (ConfigOverrides
groups_claim/extra_issuers + claim-aware TestIssuer minting).

Test plan: crates/peacock-test-support/tests/spawn_with.rs — real
escurel; extra fixture resolves; the sales principal still passes the
read:[sales] group ACL with groups_claim=triton_sender_groups
configured (the claim-aware-minting trap). Full workspace gate green
locally (fmt, clippy -D warnings, tests 0 failures, release).

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant