agent

core/agent

Fork 0

Commit graph

Author	SHA1	Message	Date
Snider	167ce9783e	fix(agent/brain): authorise org against MCP context at every entry point remember(), recall(), forget(), and elasticSearch() now resolve the allowed-orgs set from the authenticated request context (mcp_workspace_context), preferring explicit authorised_orgs/authorized_orgs, falling back to the authenticated workspace's org/slug. A mismatched org throws AuthorizationException BEFORE any Qdrant/Elasticsearch call or destructive DB action — closes the horizontal-priv-escalation vector where an MCP client could recall/remember/forget memories scoped to ANY org by setting org="other-org" in the request body. Pest coverage in OrgScopingTest covers good path, unauthorised recall (asserts no HTTP), cross-org forget (asserts no DB delete), unauthorised remember (asserts no embed/index jobs). Note: BrainList free-form org filter is a separate ticket — outside this lane's allowlist. Co-authored-by: Codex <noreply@openai.com> Closes tasks.lthn.sh/view.php?id=312	2026-04-25 18:32:19 +01:00
Snider	c616ff1e32	fix(brain): close openbrain audit gaps — org scoping + index cleanup + reindex flags + MCP schemas + circuit layer Closes the 5 PARTIAL items flagged in docs/AUDIT-openbrain-20260424.md. - Gap A (org scoping persisted on writes): new migration adds `org` nullable+indexed column to brain_memories; BrainMemory fillable; RememberKnowledge action forwards org; BrainService::remember persists it. - Gap B (supersede/forget Elastic cleanup): BrainService::forget dispatches DeleteFromIndex (handles both Qdrant + Elastic); supersede path dispatches cleanup for the old memory id before replacing it. DeleteFromIndex itself untouched — already handled both indexes. - Gap C (brain:reindex flags): --org, --project, --stale (null OR >14d old), --dry-run (count+stop), --elastic-only added to the artisan command. - Gap D (MCP schemas expose org): brain_remember, brain_recall, brain_list now accept `org` in input schema + forward into action/service. - Gap E (resilience uneven): brain_list now wrapped in withCircuitBreaker('brain', ...) matching the pattern used by BrainRemember/Recall/Forget. BrainService gains retryableHttp() helper — 100/300/900ms exponential backoff, retries only on 5xx + connection errors, not on 4xx. Qdrant calls route through it; Ollama left alone (EmbedMemory job has its own retry). Tests (Good/Bad/Ugly per gap): - Feature/Brain/OrgScopingTest.php - Feature/Brain/SupersedeForgetIndexCleanupTest.php - Feature/Brain/ReindexFlagsTest.php - Feature/Mcp/BrainSchemaOrgTest.php - Feature/Brain/CircuitBreakerTest.php php -l clean on all 13 files. Pest binary not in this checkout — CI path validates the full suite. Closes tasks.lthn.sh/view.php?id=107 Co-authored-by: Codex <noreply@openai.com> Co-Authored-By: Virgil <virgil@lethean.io>	2026-04-24 08:14:06 +01:00

Author

SHA1

Message

Date

Snider

167ce9783e

fix(agent/brain): authorise org against MCP context at every entry point

remember(), recall(), forget(), and elasticSearch() now resolve the
allowed-orgs set from the authenticated request context (mcp_workspace_context),
preferring explicit authorised_orgs/authorized_orgs, falling back to the
authenticated workspace's org/slug. A mismatched org throws
AuthorizationException BEFORE any Qdrant/Elasticsearch call or destructive
DB action — closes the horizontal-priv-escalation vector where an MCP
client could recall/remember/forget memories scoped to ANY org by
setting org="other-org" in the request body.

Pest coverage in OrgScopingTest covers good path, unauthorised recall
(asserts no HTTP), cross-org forget (asserts no DB delete), unauthorised
remember (asserts no embed/index jobs).

Note: BrainList free-form org filter is a separate ticket — outside this
lane's allowlist.

Co-authored-by: Codex <noreply@openai.com>
Closes tasks.lthn.sh/view.php?id=312

2026-04-25 18:32:19 +01:00

Snider

c616ff1e32

fix(brain): close openbrain audit gaps — org scoping + index cleanup + reindex flags + MCP schemas + circuit layer

Closes the 5 PARTIAL items flagged in docs/AUDIT-openbrain-20260424.md.

- Gap A (org scoping persisted on writes): new migration adds `org`
  nullable+indexed column to brain_memories; BrainMemory fillable;
  RememberKnowledge action forwards org; BrainService::remember
  persists it.

- Gap B (supersede/forget Elastic cleanup): BrainService::forget
  dispatches DeleteFromIndex (handles both Qdrant + Elastic); supersede
  path dispatches cleanup for the old memory id before replacing it.
  DeleteFromIndex itself untouched — already handled both indexes.

- Gap C (brain:reindex flags): --org, --project, --stale (null OR
  >14d old), --dry-run (count+stop), --elastic-only added to the
  artisan command.

- Gap D (MCP schemas expose org): brain_remember, brain_recall,
  brain_list now accept `org` in input schema + forward into
  action/service.

- Gap E (resilience uneven): brain_list now wrapped in
  withCircuitBreaker('brain', ...) matching the pattern used by
  BrainRemember/Recall/Forget. BrainService gains retryableHttp()
  helper — 100/300/900ms exponential backoff, retries only on 5xx +
  connection errors, not on 4xx. Qdrant calls route through it;
  Ollama left alone (EmbedMemory job has its own retry).

Tests (Good/Bad/Ugly per gap):
- Feature/Brain/OrgScopingTest.php
- Feature/Brain/SupersedeForgetIndexCleanupTest.php
- Feature/Brain/ReindexFlagsTest.php
- Feature/Mcp/BrainSchemaOrgTest.php
- Feature/Brain/CircuitBreakerTest.php

php -l clean on all 13 files. Pest binary not in this checkout —
CI path validates the full suite.

Closes tasks.lthn.sh/view.php?id=107

Co-authored-by: Codex <noreply@openai.com>
Co-Authored-By: Virgil <virgil@lethean.io>

2026-04-24 08:14:06 +01:00

2 commits