Skip to content

Include undeployed identity proxy scopes in env catalog#1314

Open
jhivandb wants to merge 1 commit into
wso2:mainfrom
jhivandb:surface-undeployed-scopes
Open

Include undeployed identity proxy scopes in env catalog#1314
jhivandb wants to merge 1 commit into
wso2:mainfrom
jhivandb:surface-undeployed-scopes

Conversation

@jhivandb

@jhivandb jhivandb commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Purpose

When building an agent-identity role (Identity Providers → env → Roles → role → Permissions), the "Add scopes" catalog was empty even when an MCP proxy defined grantable scopes (e.g. booking:edit_booking). The catalog only listed scopes for proxies that were deployed to a gateway in the environment, so a defined-but-undeployed proxy's scopes were hidden.

This gate was stricter than the flow it feeds: the catalog is sourced from the local DB (mcp_proxy_scopes), scope registration into env-Thunder happens lazily at role-assignment time (EnsureProxyResourceServer) — never at deploy — and role assignment itself (resolveScopeGroups) never checks deployment. So a scope was assignable but not discoverable.

Goals

Surface a proxy's scopes in the environment scope catalog as soon as they are defined on an identity-enabled endpoint that targets the environment, regardless of gateway-deployment state — aligning the catalog with the assignment path.

Approach

In ListEnvironmentScopes (mcp_proxy_scope_service.go), removed the GetDeployedGatewaysByProvider gate. The remaining guards are unchanged: the endpoint must resolve for the environment, must be identity/OAuth-enabled (mcpIdentityEnabled), and must have a non-nil env artifact UUID. The artifact UUID is assigned at endpoint-config time (not deploy), so that guard does not silently re-introduce the gate. The now-unused deploymentRepo dependency was removed from the service (field, constructor param, wire binding). Endpoint description in the OpenAPI spec updated from "deployed to this environment" to "target this environment".

User stories

As a platform admin, I can grant an MCP proxy's scope to a role before (or without) deploying that proxy to a gateway in the environment.

Release note

Environment agent-identity scope catalog now lists scopes from identity-enabled MCP proxies that target the environment, whether or not the proxy is deployed to a gateway.

Documentation

N/A — no user-facing product-doc impact; the change relaxes an internal listing filter and updates only an internal OpenAPI description string.

Training

N/A — no training-content impact.

Certification

N/A — no impact on certification exams; internal API listing behavior only.

Marketing

N/A — internal behavior fix, no marketing content.

Automation tests

  • Unit tests

    Updated TestListEnvironmentScopes_FiltersToDeployedIdentityProxiesTestListEnvironmentScopes_IncludesUndeployedIdentityProxies: asserts both deployed and undeployed identity-enabled proxies are included and an identity-disabled proxy is excluded. Full unit tier (make test-unit) passes with no failures.

  • Integration tests

    N/A — no new integration coverage; behavior is exercised by the service-level unit test above.

Security checks

  • Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes
  • Ran FindSecurityBugs plugin and verified report? no — not part of this repo's Go workflow; go vet and golangci-lint were run on the changed packages with no new findings.
  • Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes

Samples

N/A — no sample changes.

Related PRs

N/A.

Migrations (if applicable)

N/A — no schema or data migration.

Test environment

Go 1.25.11, macOS (darwin/arm64). Verified via make test-unit, go build ./..., go vet, and make codegenfmt-check (codegen/format clean).

Learning

Traced the scope lifecycle end to end (local DB source, lazy Thunder registration at role assignment, deployment-decoupled artifact UUIDs) to confirm the deployment gate was a discovery-only restriction and safe to drop without affecting enforcement or assignment.

Summary by CodeRabbit

  • Documentation

    • Clarified that environment agent-identity scopes come from identity-enabled MCP proxies targeting the environment.
  • Bug Fixes

    • Environment scopes are now included for eligible identity-enabled proxies even when they are not deployed.
    • Proxies without identity security enabled remain excluded.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 12158b58-580c-4b1a-972e-4e7993f4487a

📥 Commits

Reviewing files that changed from the base of the PR and between 33348c1 and c2744d4.

📒 Files selected for processing (5)
  • agent-manager-service/docs/api_v1_openapi.yaml
  • agent-manager-service/services/mcp_proxy_scope_service.go
  • agent-manager-service/services/mcp_proxy_scope_service_unit_test.go
  • agent-manager-service/spec/api_agent_identities.go
  • agent-manager-service/wiring/wire_gen.go

📝 Walkthrough

Walkthrough

The MCP proxy scope service no longer requires deployment data when listing environment scopes. Identity-enabled proxies targeting an environment are included regardless of deployed gateways, with constructor wiring, tests, and API descriptions updated accordingly.

Changes

MCP proxy scope targeting

Layer / File(s) Summary
Target-based scope listing
agent-manager-service/services/mcp_proxy_scope_service.go, agent-manager-service/spec/api_agent_identities.go, agent-manager-service/docs/api_v1_openapi.yaml
The service removes deployed-gateway filtering, and API descriptions now state that scopes come from proxies targeting the environment.
Constructor wiring and behavior validation
agent-manager-service/wiring/wire_gen.go, agent-manager-service/services/mcp_proxy_scope_service_unit_test.go
Production and test initializers use the revised constructor, while tests include undeployed identity-enabled proxies and exclude identity-disabled proxies.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

Suggested reviewers: rasika2012, raveensr, menakaj

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately summarizes the main change.
Description check ✅ Passed The description follows the template and covers purpose, goals, approach, tests, security, and other required sections.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants