Adds session_mode flag to AC lifecycle. When session_mode=true:
- AC transitions to 'active' (not 'consumed') on first CR
- Stays active for subsequent CRs during the session
- 'session_end' outcome transitions AC to 'consumed'
- Non-session ACs behave as before (consumed on first CR)
Schema:
- ACStatus: add ACTIVE enum value
- Outcome: add SESSION_END enum value
- AuthorizeRequest: add session_mode bool field
- AuthorizationContextDB: add session_mode column
- Auto-migration via ALTER TABLE on startup
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Three bugs in the complete handler:
1. SQLAlchemy greenlet: ORM model attribute access triggers sync
lazy-loads in async context. Fix: raw SQL via text() for all
DB operations in the CR handler.
2. UUID format: SQLite stores UUIDs without hyphens (via SQLModel).
Raw SQL comparisons must strip hyphens: str(uuid).replace("-","")
3. Missing received_at: NOT NULL constraint on completion_receipts.
Raw INSERT was missing the column. Added received_at=now().
Full AC/CR cycle now verified:
AC → 200, principal DID resolved from Keycloak token
CR → 200, receipt ID + Chronicle CID returned
Session → 200, chain of custody queryable
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Added _extract_token_data() to authorize endpoint. Extracts JWT
from Authorization header and passes it to the Keycloak identity
driver as _token_data. This was the missing link — the driver
needs the token to resolve the principal DID.
Verified on Hetzner:
AC issued for tyler@bxnet.io →
did:web:bxnet.capstone.guildhouse.dev/principal/tyler@bxnet.io
Chronicle event emitted (GSAP_AC_ISSUED)
Known issue: CR endpoint has SQLAlchemy async greenlet bug
(MissingGreenlet on the select+update in complete handler).
AC issuance works. CR needs async session fix.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Reference implementation of GCAP-SPEC-SHELLBOUND-BROKER-0001
in FastAPI. Designed for ISVs and enterprises implementing
the governed shell authorization protocol.
Architecture:
FastAPI + SQLModel + Pydantic + async SQLite
Single container deployment: Dockerfile included
OpenAPI schema at /docs is the machine-readable GSAP contract
Broker Interface (§5):
POST /governance/authorize/ — Issue AC
GET /governance/authorize/{p}/ — Poll elevation
POST /governance/complete/ — Receive CR
GET /governance/session/{id}/ — View chain of custody
POST /governance/elevate/ — JIT elevation
GET /governance/drivers/ — List drivers
Identity Driver Interface (§2.2):
IdentityDriver — abstract base (ISV extension point)
KeycloakDriver — Keycloak implementation
DriverRegistry — driver lookup and registration
Chronicle integration (§1.4):
Optional CloudEvents emission via CHRONICLE_WEBHOOK_URL
Forgejo push event format for receiver compatibility
Models:
Pydantic schemas for AC, CR, Principal, Accord, Operation
SQLModel DB models for persistence
Tests: 6 async tests including full AC→CR cycle
695 lines across 27 files.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
