Skip to content

feat(go): add approval chain parity#3242

Open
carloshvp wants to merge 1 commit into
microsoft:mainfrom
carloshvp:go-approval-chain-parity
Open

feat(go): add approval chain parity#3242
carloshvp wants to merge 1 commit into
microsoft:mainfrom
carloshvp:go-approval-chain-parity

Conversation

@carloshvp

Copy link
Copy Markdown
Contributor

Summary

  • add Go SDK approval-chain protocol objects, action binding digests, and a fail-closed coordinator for require_approval
  • add a versioned webhook approval transport that validates request/action binding echoes and requires verified approver identity for allow responses
  • wire AgentMeshClient to optionally route require_approval decisions through an approval coordinator
  • document the new Go approval-chain surface

Scope

This is the Go SDK slice for #3083. TypeScript already has a separate parity PR in flight, so this PR keeps the language scope to agent-governance-golang/.

Validation

  • /tmp/codex-go1.25.11/go/bin/gofmt -w agent-governance-golang/packages/agentmesh/approval.go agent-governance-golang/packages/agentmesh/approval_test.go agent-governance-golang/packages/agentmesh/client.go agent-governance-golang/packages/agentmesh/types.go
  • /tmp/codex-go1.25.11/go/bin/go test ./... from agent-governance-golang/

Signed-off-by: Carlos Hernandez <carloshvp@gmail.com>
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

PR Review Summary

Check Status Details
🔍 Code Review ⚠️ Missing No current-run comment
🛡️ Security Scan ⚠️ Missing No current-run comment
🔄 Breaking Changes ⚠️ Missing No current-run comment
📝 Docs Sync ⚠️ Missing No current-run comment
🧪 Test Coverage ⚠️ Missing No current-run comment

Verdict: ⚠️ AI review incomplete; ready for human review

AI review comments are untrusted advisory output. The summary reports workflow-generated completion status only, not model-authored pass/fail claims.

@github-actions github-actions Bot added documentation Improvements or additions to documentation size/XL Extra large PR (500+ lines) labels Jul 1, 2026
@carloshvp carloshvp marked this pull request as ready for review July 1, 2026 19:55

@MohammadHaroonAbuomar MohammadHaroonAbuomar left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Timeout, unverified-webhook, context/cancel, and the zero-required-stage guard are all correct (the last one is stricter than Python and TS; nice).

The parity claim is not met yet:

  1. approval.go:388: RequestApproval collapses open, submit, and resolve into one synchronous call. There is no ApprovalStore, no open_request/submit_entry split, no ADR-0030 §6 validateForExecution (digest / policy-version / tamper check at execution time), and no one-time consume. Without these an allow can be replayed and there is no execution-time revalidation.
  2. approval.go:873,939: writeCanonicalJSON uses json.Marshal (HTML-escapes <>&) and sort.Strings (byte order). Action digests will diverge from Python JCS whenever a parameter contains <, >, & (SQL, URLs) or a non-ASCII key. Use an Encoder with SetEscapeHTML(false) and UTF-16 code-unit key ordering per RFC 8785.
  3. approval.go:79-96: ApprovalStatus missing cancelled/consumed; ApproverKind missing llm_advisory and its skip-from-satisfaction logic.
  4. approval.go:176: ApprovalVote.StageIndex is written at :506 and never read (entryFromVote uses stage.StageIndex). Dead field. ApprovalVote.Roles (:182) is never populated by the only shipped transport, so ApprovalStage.AllowedRoles is unreachable.
  5. approval.go:823-845: SSRF blocklist is missing fd00:ec2::254 (AWS IMDS IPv6) present in Python _BLOCKED_HOSTS.
  6. approval.go:91-96 / client.go:79-85: on error decision = Deny but approval stays nil, so the audit trail loses the reason.

Also: 983L in one file vs 5-6 in Python/TS. Splitting into models / coordinator / webhook / digest would make the missing store obvious and match sibling SDKs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation size/XL Extra large PR (500+ lines)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants