Skip to content

feat: add organization-ai-gateway-access role and enforce it at the AI Gateway#27280

Draft
jscottmiller wants to merge 2 commits into
scott/gateway-1-seat-countingfrom
scott/gateway-2-ai-gateway-role
Draft

feat: add organization-ai-gateway-access role and enforce it at the AI Gateway#27280
jscottmiller wants to merge 2 commits into
scott/gateway-1-seat-countingfrom
scott/gateway-2-ai-gateway-role

Conversation

@jscottmiller

@jscottmiller jscottmiller commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Extracts the aibridge_interception create/update grants out of the site member role and the organization-member/service-account floors into a new built-in org role, organization-ai-gateway-access, and enforces it at the AI Gateway.

Role extraction

  • The new role carries only member-scoped aibridge_interception: create, update. It is appended to organizations.default_org_member_roles by migration (idempotent) and to rbac.DefaultOrgMemberRoles() for new organizations, so existing members keep AI Gateway access with no behavior change by default.
  • Interception RBAC objects are now scoped to any organization (AnyOrganization().WithOwner(initiator)) so the member-scoped perms authorize holders in any org they belong to. Org admins are explicitly excluded from the org-level aibridge grant, preserving the invariant that only site-wide auditors and owners can read interceptions.
  • The Edit Roles UI gains descriptions for organization-workspace-access and organization-ai-gateway-access.

Enforcement

aibridgedserver.IsAuthorized previously validated only the API key and user status; interception recording happens under the aibridged system subject, so the initiator's own permissions were never consulted. Now the initiator must be authorized to create an AI Bridge interception or the request is rejected with ErrNoAIGatewayAccess (HTTP 403). The check expands the user's roles (including custom roles) and evaluates with the API key's scope set, so restricted-scope tokens cannot route AI traffic unless their scope carries the interception create permission. rolestore.Expand now accepts a narrow store interface so the aibridged server's store can satisfy it.

Seat recording

Under the permission-based-licensing experiment (introduced in #27279), RecordInterception no longer records ai_seat_state usage for the initiator: AI Gateway access is licensed by the AI Governance add-on and gated by the role rather than per seat. Task workspace builds still claim AI Governance seats.

Part of the gateway-accounts exploration.

Stack

Part 2 of the gateway-accounts stack. Each PR builds on the previous:

  1. feat: count only workspace-capable users toward license seats #27279: permission-based license seat counting. Behind the permission-based-licensing experiment and gated on the AI Governance add-on, user_limit counts only users the RBAC engine authorizes to create workspaces.
  2. feat: add organization-ai-gateway-access role and enforce it at the AI Gateway #27280 (this PR): adds the organization-ai-gateway-access org role carrying the AI Bridge interception permissions (extracted from the member floors, backfilled into org default roles by migration) and enforces it at AI Gateway authentication; bridge usage stops claiming AI Governance seats under the experiment.
  3. feat: gate workspace ACL grants on a use_shared capability #27281: adds a use_shared capability precondition for workspace ACL grants, so workspace sharing is ineffective for (and rejected toward) users without workspace capabilities, evaluated live on every authorization.

Related but independent: #27278 hides the Workspaces page create CTAs for users without workspace-create permission.

…I Gateway

Extracts the aibridge_interception create/update grants out of the site
member role and the organization-member/service-account floors into a
new built-in org role, organization-ai-gateway-access. The role is
appended to organizations.default_org_member_roles by migration and to
rbac.DefaultOrgMemberRoles() for new organizations, so existing members
keep AI Gateway access.

Interception RBAC objects are now scoped to any organization so the
member-scoped perms of the new role authorize holders in any org they
belong to. Org admins are explicitly excluded from the org-level
aibridge grant to preserve the existing invariant that only site-wide
auditors and owners can read interceptions.

The AI Gateway enforces the permission at authentication time.
aibridgedserver.IsAuthorized previously validated only the API key and
user status; interception recording happens under the aibridged system
subject, so the initiator's own permissions were never consulted. Now
the initiator must be authorized to create an AI Bridge interception
(granted by the new role) or the request is rejected with
ErrNoAIGatewayAccess, which the HTTP layer surfaces as 403. The check
expands the user's roles (including custom roles) and evaluates with
the API key's scope set, so restricted-scope tokens cannot route AI
traffic unless their scope carries the interception create permission.
rolestore.Expand now accepts a narrow store interface so the aibridged
server's store can satisfy it.

The default-roles preset cards map Gateway to the new role and
Workspace to workspace-access plus ai-gateway-access, and the Edit
Roles UI gains descriptions for both organization-workspace-access and
organization-ai-gateway-access.
…e under permission-based licensing

Under permission-based licensing, AI Gateway access is licensed by the
AI Governance addon and gated by the organization-ai-gateway-access
role rather than per seat. RecordInterception therefore no longer
records ai_seat_state usage for the initiator when the
permission-based-licensing experiment is enabled; task workspace
builds still claim seats. Existing aibridge-reason seat rows are left
in place and age out when users are suspended or deleted.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant