FLEX-WP-0006: implement ops-warden signing gate policy

2026-06-23 21:17:42 +02:00
parent 53e0d055c9
commit 0fde95a87c
25 changed files with 1796 additions and 10 deletions
--- a/internal/decision/engine.go
+++ b/internal/decision/engine.go
@@ -105,6 +105,7 @@ func (e *Engine) BatchCheck(ctx context.Context, request api.BatchCheckRequest)
 	for _, resource := range request.Resources {
 		decision, err := e.Check(ctx, api.CheckRequest{
 			ID:            request.ID,
+			Tenant:        request.Tenant,
 			Subject:       request.Subject,
 			Action:        request.Action,
 			Resource:      resource,
@@ -188,6 +189,15 @@ func (e *Engine) normalizeRequest(request api.CheckRequest) (api.CheckRequest, r
 	normalized := request
 	facts := registryFacts{}

+	if normalized.Tenant != "" {
+		if normalized.Subject.Tenant == "" {
+			normalized.Subject.Tenant = normalized.Tenant
+		}
+		if normalized.Resource.Tenant == "" {
+			normalized.Resource.Tenant = normalized.Tenant
+		}
+	}
+
 	if subject, ok := e.store.Subject(request.Subject.ID); ok {
 		facts.subjectFound = true
 		facts.subject = subject