Skip to content

Fix Email Sending permission scope#31

Merged
rogu3bear merged 1 commit into
mainfrom
build/email-sending-permission-scope
Jun 30, 2026
Merged

Fix Email Sending permission scope#31
rogu3bear merged 1 commit into
mainfrom
build/email-sending-permission-scope

Conversation

@rogu3bear

Copy link
Copy Markdown
Owner

Summary

  • Change Email Sending Read and Email Sending Write in the cfctl permission catalog from zone scope to account scope.
  • Add static contract coverage for the account-scoped Email Sending permissions.

Why

While applying the maildesk sender-domain plan, Email Routing rule upserts succeeded and verified, but the first sender_domain enable apply failed with Cloudflare 2036 Unauthorized. Live permission-group discovery shows Email Sending permission groups are account-scoped, not zone-scoped, so cfctl bootstrap/token guidance needs to reflect that before minting or rotating an operator token for sender-domain authentication.

TDD Proof

  • Red: ./scripts/verify_static_contract.sh failed after adding the account-scope assertion against the old catalog.
  • Green: the same static contract passed after updating the catalog.

Full Proof

  • ./scripts/verify_static_contract.sh
  • python3 scripts/verify_permission_catalog.py --cfctl ./cfctl
  • python3 scripts/verify_permission_catalog.py --permission-groups <full-live-permission-groups-artifact>
  • git diff --check

Operational Notes

  • No Cloudflare mutation is included in this PR.
  • The live maildesk state is now edge_ready=true; sender-domain authentication remains pending until a lane/token with Email Sending Write can run the preview/ack path.

Live Cloudflare permission-group discovery reports Email Sending Read and Email Sending Write as account-scoped permissions. The cfctl catalog incorrectly modeled them as zone-scoped after adding sender_domain apply support, which can produce misleading bootstrap/token guidance for the exact maildesk sender-domain enable path.

Update the permission catalog to account scope and add a static contract assertion for both Email Sending permissions. This keeps cfctl bootstrap guidance aligned with Cloudflare's permission group model before operators mint or rotate a deploy token for sender-domain authentication.

Proof: TDD red via verify_static_contract expecting account scope, then green after the catalog change. Also ran verify_static_contract, verify_permission_catalog.py --cfctl ./cfctl, and verify_permission_catalog.py against a full live permission-groups artifact.
@rogu3bear

Copy link
Copy Markdown
Owner Author

@codex Please review the Email Sending permission scope correction. Focus on whether the live permission-group evidence supports account scope for both Email Sending Read and Write, and whether any bootstrap/token command rendering assumptions need adjustment beyond the catalog scope change.

@rogu3bear

Copy link
Copy Markdown
Owner Author

GitHub Actions did not start because the account is locked due to a billing issue. Local proof completed on build/email-sending-permission-scope:

  • TDD red: ./scripts/verify_static_contract.sh failed with the new account-scope assertion against the old catalog
  • Green: ./scripts/verify_static_contract.sh passed after updating Email Sending permissions to account scope
  • python3 scripts/verify_permission_catalog.py --cfctl ./cfctl passed
  • python3 scripts/verify_permission_catalog.py --permission-groups <full-live-permission-groups-artifact> passed
  • git diff --check passed

Operational context: Email Routing rule applies already verified; sender-domain apply hit Cloudflare 2036 Unauthorized, and live permission-group discovery shows Email Sending Read/Write are account-scoped.

@rogu3bear rogu3bear merged commit 4ee4835 into main Jun 30, 2026
1 of 2 checks passed
@rogu3bear rogu3bear deleted the build/email-sending-permission-scope branch June 30, 2026 23:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant