feat(agents): collapse denied agent route access to 404 instead of 403#271
Open
asherfink wants to merge 1 commit into
Open
feat(agents): collapse denied agent route access to 404 instead of 403#271asherfink wants to merge 1 commit into
asherfink wants to merge 1 commit into
Conversation
685126a to
0d99f31
Compare
e358194 to
eec235f
Compare
eec235f to
0cfb83c
Compare
0d99f31 to
14796e9
Compare
jenniechung
approved these changes
Jun 3, 2026
harvhan
approved these changes
Jun 4, 2026
0cfb83c to
ec8c2ec
Compare
14796e9 to
883921e
Compare
Direct agent-by-id and agent-by-name routes now return 404 instead of 403 when the caller isn't authorized for the agent, matching the existing behavior for tasks and api keys. A 403 on a specific id or name reveals that the agent exists, so collapsing denials to 404 stops callers from probing for agents in other tenants. The name routes resolve the name to an id first, so a genuinely missing name still surfaces the normal repository 404. Ticket: AGX1-242
883921e to
6de8f39
Compare
ec8c2ec to
f7e134b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Direct agent routes now return 404 instead of 403 when the caller isn't allowed to see the agent.
Why
A 403 on a specific agent id or name leaks that the agent exists. Collapsing denials to 404 means a caller can't tell "exists but you can't access it" from "doesn't exist", so they can't probe for agents living in other tenants.
Changes
DAuthorizedId(agent, ...)andDAuthorizedName(agent, ...)collapse an authorization denial to a 404, matching the existing behavior for tasks and api keys._check_agent_or_collapse_to_404helper next to the existing task and api-key collapse helpers. Folding the three into one generic helper is a tracked follow-up.Tests
Stacking
Stacked on #270 (agent ownership writes). Review that one first.
Ticket: AGX1-242
Greptile Summary
This PR collapses denied agent route access from 403 to 404, preventing callers from probing cross-tenant agent existence by distinguishing "exists but forbidden" from "not found." The helper
_check_agent_or_collapse_to_404is wired intoDAuthorizedIdandDAuthorizedName, mirroring the existing task and API-key collapse patterns.DAuthorizedIdandDAuthorizedName: both now routeAgentexResourceType.agentthrough the new collapse helper, covering path-parameter reads, deletes, and RPC-by-name routes.DAuthorizedQuerygap: theGET /events?agent_id=list endpoint usesDAuthorizedQuery(AgentexResourceType.agent, ...), which has no agent branch and still falls through toauthorization.check(...)— returning 403 on denial and leaking existence. This was flagged in the previous review iteration and remains unaddressed.test_agents_authz.pycovers the collapse helper and both dependency wrappers;test_tasks_authz.pyis updated to expect 404 for the agent name path.Confidence Score: 4/5
Safe to merge after addressing the DAuthorizedQuery gap; the list_events agent_id query path still returns 403 on denial.
The collapse logic is correctly applied to DAuthorizedId and DAuthorizedName, but DAuthorizedQuery has no agent branch — the GET /events?agent_id= endpoint calls authorization.check directly and returns 403 when the caller is denied, leaking that the agent ID exists in another tenant.
agentex/src/utils/authorization_shortcuts.py — the DAuthorizedQuery function (lines 118–157) needs an elif agent branch matching what was added to DAuthorizedId and DAuthorizedName.
Important Files Changed
Comments Outside Diff (2)
agentex/src/utils/authorization_shortcuts.py, line 118-157 (link)DAuthorizedQuerystill returns 403 for denied agent accessDAuthorizedQueryis used withAgentexResourceType.agenton theGET /eventsendpoint (events.pylines 55–60). That path falls through to the unmodifiedelsebranch (authorization.check), so a 403 is still returned when the caller is denied — leaking that the agent ID exists. The fix applied toDAuthorizedIdandDAuthorizedNameneeds to be mirrored here: add anelif resource_type == AgentexResourceType.agentbranch that calls_check_agent_or_collapse_to_404, just as was done inDAuthorizedId.Prompt To Fix With AI
agentex/src/utils/authorization_shortcuts.py, line 118-157 (link)DAuthorizedQuerystill returns 403 for denied agent accessDAuthorizedQueryis used withAgentexResourceType.agenton theGET /eventslist endpoint (events.pylines 55–60). Itselsebranch callsauthorization.check(...)directly, so a denied agent check raisesAuthorizationError(403) instead ofItemDoesNotExist(404) — leaking that the agent ID exists across tenants. The fix applied toDAuthorizedIdandDAuthorizedNamein this PR needs a matchingelif resource_type == AgentexResourceType.agentbranch added toDAuthorizedQueryas well.Prompt To Fix With AI
Prompt To Fix All With AI
Reviews (2): Last reviewed commit: "feat(agents): collapse denied agent rout..." | Re-trigger Greptile