feat(gateway): phase7 public access layer (entitlements, rate limits, public list)

2026-03-05 09:19:25 -08:00
parent e6e705a38b
commit 465669fc1d
5 changed files with 2187 additions and 26 deletions
--- a/migrations/056_agent_access_policies.sql
+++ b/migrations/056_agent_access_policies.sql
@@ -0,0 +1,61 @@
+-- Phase-7 public access layer
+-- Access policy + allowlist tables for gateway entitlements/rate-limits.
+
+CREATE TABLE IF NOT EXISTS agent_access_policies (
+    agent_id TEXT PRIMARY KEY,
+    enabled BOOLEAN NOT NULL DEFAULT TRUE,
+    public_active BOOLEAN NOT NULL DEFAULT TRUE,
+    requires_whitelist BOOLEAN NOT NULL DEFAULT FALSE,
+    user_global_limit INTEGER NOT NULL DEFAULT 60,
+    user_global_window_seconds INTEGER NOT NULL DEFAULT 300,
+    user_agent_limit INTEGER NOT NULL DEFAULT 20,
+    user_agent_window_seconds INTEGER NOT NULL DEFAULT 300,
+    group_agent_limit INTEGER NOT NULL DEFAULT 10,
+    group_agent_window_seconds INTEGER NOT NULL DEFAULT 300,
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT now()
+);
+
+CREATE TABLE IF NOT EXISTS agent_allowlist (
+    id BIGSERIAL PRIMARY KEY,
+    platform TEXT NOT NULL,
+    platform_user_id TEXT NOT NULL,
+    agent_id TEXT NOT NULL REFERENCES agent_access_policies(agent_id) ON DELETE CASCADE,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+    UNIQUE (platform, platform_user_id, agent_id)
+);
+
+CREATE INDEX IF NOT EXISTS idx_agent_access_policies_enabled
+    ON agent_access_policies (enabled, public_active);
+
+CREATE INDEX IF NOT EXISTS idx_agent_allowlist_lookup
+    ON agent_allowlist (platform, platform_user_id, agent_id);
+
+INSERT INTO agent_access_policies (
+    agent_id,
+    enabled,
+    public_active,
+    requires_whitelist
+)
+VALUES
+    ('daarwizz', TRUE, TRUE, FALSE),
+    ('helion', TRUE, TRUE, FALSE),
+    ('greenfood', TRUE, TRUE, FALSE),
+    ('agromatrix', TRUE, TRUE, FALSE),
+    ('alateya', TRUE, TRUE, FALSE),
+    ('nutra', TRUE, TRUE, FALSE),
+    ('druid', TRUE, TRUE, FALSE),
+    ('clan', TRUE, TRUE, FALSE),
+    ('eonarch', TRUE, TRUE, FALSE),
+    ('senpai', TRUE, TRUE, FALSE),
+    ('oneok', TRUE, TRUE, FALSE),
+    ('soul', TRUE, TRUE, FALSE),
+    ('yaromir', TRUE, TRUE, FALSE),
+    ('sofiia', TRUE, TRUE, FALSE),
+    ('monitor', FALSE, FALSE, TRUE),
+    ('aistalk', FALSE, FALSE, TRUE)
+ON CONFLICT (agent_id) DO UPDATE
+SET
+    enabled = EXCLUDED.enabled,
+    public_active = EXCLUDED.public_active,
+    requires_whitelist = EXCLUDED.requires_whitelist,
+    updated_at = now();