feat(test-support): Triton-fronted trust knobs — groups_claim, extra_issuers, ExtraIssuer#239
Merged
Merged
Conversation
…tra_issuers, ExtraIssuer ConfigOverrides grows groups_claim (the production ESCUREL_AUTH_GROUPS_CLAIM knob; e.g. triton_sender_groups) and extra_issuers (additional (issuer, jwks) trust on top of whatever AuthMode configures) — so an application test can stand the gateway up in its deployed shape: primary issuer + Triton's signer, groups read from the claim Triton mints. TestIssuer minting is claim-aware: with a custom groups_claim the group array is emitted under BOTH roles (admin projection + every existing caller keep working) and the configured claim — without this, setting the knob would silently strip every test principal of its groups. New public ExtraIssuer mints second-issuer tokens with audience ARRAYS + custom claims, keeping wiremock/jsonwebtoken private to the support crate (the dx.md promise). Test plan: escurel-server/tests/multi_issuer_groups.rs — one gateway, two real issuers over the wire; a second-issuer token with aud [agents-test, escurel] + groups under triton_sender_groups gains the read: [sales] group read (also pins the aud-array verification); no group → fail-closed; the primary issuer's minted principal keeps its groups under the knob. Gate: fmt, clippy -D warnings, workspace tests 0 failures, release build. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
jrosskopf
added a commit
to DataZooDE/peacock
that referenced
this pull request
Jul 3, 2026
…+ gateway overrides (#10) NorthwindOpts: extra (skill, markdown) / (skill, id, markdown) fixtures merged into the Northwind seed, plus the escurel-test-support ConfigOverrides passthrough (webhook, groups_claim, extra_issuers, …) — so a downstream app test can stand the Northwind world up in its deployed Triton-fronted shape. mint_token_with_groups is exposed for consumer-owned principals (a worker's service token). spawn() delegates to spawn_with(default). Depends on escurel DataZooDE/escurel#239 (ConfigOverrides groups_claim/extra_issuers + claim-aware TestIssuer minting). Test plan: crates/peacock-test-support/tests/spawn_with.rs — real escurel; extra fixture resolves; the sales principal still passes the read:[sales] group ACL with groups_claim=triton_sender_groups configured (the claim-aware-minting trap). Full workspace gate green locally (fmt, clippy -D warnings, tests 0 failures, release). Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Lets an application test stand Escurel up in its deployed, Triton-fronted shape:
ConfigOverrides { groups_claim, extra_issuers }(the productionESCUREL_AUTH_GROUPS_CLAIM/ additional-issuer trust, already supported byescurel-auth— this only threads them through test-support), claim-awareTestIssuerminting (groups under bothrolesand the configured claim, so admin projection and every existing principal keep working when the knob is set), and a publicExtraIssuerfor second-issuer tokens with audience arrays + custom claims (nowiremock/jsonwebtokenleak to consumers).Consumer motivation: the datazoo-agent-template's sales-manager e2e (frontend token → Triton
forward_principalmintingtriton_sender_groups→ agent-forwarded bearer → Escurel group ACL) and peacock'sNorthwindEscurel::spawn_with(follow-up PR there).Test plan
escurel-server/tests/multi_issuer_groups.rs— one gateway, two real issuers over the wire, no mocks: second-issuer token withaud: [agents-test, escurel](array — also pins the multi-audience verification) + groups undertriton_sender_groupsgains theread: [sales]group read; no group → fail-closed hidden; the primary TestIssuer principal keeps its groups under the knob (the claim-aware-minting regression). Gate green locally: fmt, clippy -D warnings, workspace tests 0 failures, release build.🤖 Generated with Claude Code
Need help on this PR? Tag
/codesmithwith what you need. Autofix is disabled.