Fix Email Sending permission scope#31
Merged
Merged
Conversation
Live Cloudflare permission-group discovery reports Email Sending Read and Email Sending Write as account-scoped permissions. The cfctl catalog incorrectly modeled them as zone-scoped after adding sender_domain apply support, which can produce misleading bootstrap/token guidance for the exact maildesk sender-domain enable path. Update the permission catalog to account scope and add a static contract assertion for both Email Sending permissions. This keeps cfctl bootstrap guidance aligned with Cloudflare's permission group model before operators mint or rotate a deploy token for sender-domain authentication. Proof: TDD red via verify_static_contract expecting account scope, then green after the catalog change. Also ran verify_static_contract, verify_permission_catalog.py --cfctl ./cfctl, and verify_permission_catalog.py against a full live permission-groups artifact.
Owner
Author
|
@codex Please review the Email Sending permission scope correction. Focus on whether the live permission-group evidence supports account scope for both Email Sending Read and Write, and whether any bootstrap/token command rendering assumptions need adjustment beyond the catalog scope change. |
Owner
Author
|
GitHub Actions did not start because the account is locked due to a billing issue. Local proof completed on
Operational context: Email Routing rule applies already verified; sender-domain apply hit Cloudflare |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Email Sending ReadandEmail Sending Writein the cfctl permission catalog from zone scope to account scope.Why
While applying the maildesk sender-domain plan, Email Routing rule upserts succeeded and verified, but the first
sender_domain enableapply failed with Cloudflare2036 Unauthorized. Live permission-group discovery shows Email Sending permission groups are account-scoped, not zone-scoped, so cfctl bootstrap/token guidance needs to reflect that before minting or rotating an operator token for sender-domain authentication.TDD Proof
./scripts/verify_static_contract.shfailed after adding the account-scope assertion against the old catalog.Full Proof
./scripts/verify_static_contract.shpython3 scripts/verify_permission_catalog.py --cfctl ./cfctlpython3 scripts/verify_permission_catalog.py --permission-groups <full-live-permission-groups-artifact>git diff --checkOperational Notes
edge_ready=true; sender-domain authentication remains pending until a lane/token with Email Sending Write can run the preview/ack path.