Skip to content

nhi: GitLab class-B — project/group access-token syncers (Phase-1, M-scope)#91

Open
c1-squire-dev[bot] wants to merge 1 commit into
paul.querna/nhi-gitlab-class-b/s-scopefrom
paul.querna/nhi-gitlab-class-b/m-scope
Open

nhi: GitLab class-B — project/group access-token syncers (Phase-1, M-scope)#91
c1-squire-dev[bot] wants to merge 1 commit into
paul.querna/nhi-gitlab-class-b/s-scopefrom
paul.querna/nhi-gitlab-class-b/m-scope

Conversation

@c1-squire-dev

@c1-squire-dev c1-squire-dev Bot commented Jun 10, 2026

Copy link
Copy Markdown

🔗 Preview: C1

nhi: GitLab class-B — project / group access-token syncers (Phase-1, M-scope)

Part of the pqprime NHI program (RFC plans/nhi/rfc/rfc-v6.md). This is the M-scope half of the GitLab class-B work, stacked on #90 (S-scope). Merge #90 first; this PR's base is the S-scope branch.

Build-location rationale (baton-gitlab is the live fleet/lambda deploy source; native c1 pkg/connector/gitlab is legacy v1) is documented in #90.

What this PR adds (RFC §5.8.1, class B)

Resource type Kind / spine Axis-2 detail GitLab REST API (D-318)
project_access_token K1 / STATIC_SECRET gitlab.token.project_access GET /projects/:id/access_tokens — per-project; metadata only, backed by a per-project bot user
group_access_token K1 / STATIC_SECRET gitlab.token.group_access GET /groups/:id/access_tokens — per-group; metadata only, backed by a per-group bot user

These are the new-syncer (M) cases: per-parent fan-out rather than a single list call. Fan-out is wired by adding ChildResourceType annotations to the existing project and group resources, so the SDK invokes each token builder once per project / per group (group access tokens exist on subgroups too, so the annotation is emitted on every group).

  • K1 emission: each token resource carries a SecretTrait stamped credential_type = STATIC_SECRET + axis-2 credential_detail.
  • Identity back-ref: project/group access tokens are backed by a bot service account; the API returns its user_id, which is set as SecretTrait.identity_id (K1↔K2 link).
  • Permission errors on a single project/group are logged and skipped (consistent with the existing member-sync behavior), so a partially-scoped admin token still completes the sync.

RFC rule compliance

  • Emit positively or not at all; UNSPECIFIED on unknown (§2.6) — credential_type only ever set to STATIC_SECRET.
  • No V1Identifier; no reserved slots; axis-2 strings follow <platform>.<object>.<purpose> (§2.8).

Testing

  • go build ./..., go test ./..., golangci-lint run, gofmt — all green.
  • Unit tests assert STATIC_SECRET + axis-2 detail + bot-user identity back-ref + parent linkage for both project and group access tokens.

🤖 Built with pqprime


Exposed endpoints

🏰 Squire environment: sleepy-dolphin-46579
Task: d94ceb36-4399-49c3-a3fd-977c87ce323b

@c1-squire-dev
c1-squire-dev Bot force-pushed the paul.querna/nhi-gitlab-class-b/m-scope branch 3 times, most recently from 6673039 to 1be85b4 Compare June 10, 2026 17:46
…scope)

Adds the per-parent-fan-out access-token syncers (pqprime NHI Phase-1,
RFC §5.8.1 — class B), stacked on the S-scope PR:

- project_access_token (K1 / STATIC_SECRET, axis-2 gitlab.token.project_access)
  GET /projects/:id/access_tokens, fanned out per project.
- group_access_token (K1 / STATIC_SECRET, axis-2 gitlab.token.group_access)
  GET /groups/:id/access_tokens, fanned out per group (incl. subgroups).

Each access token is backed by a per-resource bot user; that user_id is
emitted as the SecretTrait identity back-reference. Fan-out is wired via
ChildResourceType annotations on the project and group resources.

Co-authored-by: c1-squire-dev[bot] <c1-squire-dev[bot]@users.noreply.github.com>
@c1-squire-dev
c1-squire-dev Bot force-pushed the paul.querna/nhi-gitlab-class-b/m-scope branch from 1be85b4 to f7aaaf6 Compare June 10, 2026 17:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant