Define OAuth grant lifecycle profile#6
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e8a52b1349
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
SoundBlaster
left a comment
There was a problem hiding this comment.
Reviewed current head e8a52b1. The existing P2 threads about the RFC 9396 array shape and auth.* manifest endpoint names are valid and are not duplicated below. Local validation passes: the dashboard is current, JavaScript parses, all 21 JSON examples parse without duplicate keys, and git diff --check is clean. I found six additional P1 security/interoperability issues and one P2 consistency issue. I would treat the P1 items as merge blockers. Submitted as COMMENT because the connected GitHub account owns the PR; no merge was performed.
Motivation
Dashboard proposals #7, #8, #11, and #12 identify a missing end-to-end OAuth lifecycle: ASP referenced RAR, Token Exchange, introspection, and revocation without defining interoperable Agent Grant request, response, state, or event contracts.
Goals
grant.revokedprocessing.Changes
grant.revokedcontrol event.present, and regenerate the dashboard.Validation
make review-build PYTHON=/opt/homebrew/opt/python@3.10/libexec/bin/python3make review-check PYTHON=/opt/homebrew/opt/python@3.10/libexec/bin/python3/opt/homebrew/opt/python@3.10/libexec/bin/python3 -m json.tool review/review-data.json >/dev/nullgit diff --checkBoundaries and Non-Goals
grant_hash,surface_hash, receipt canonicalization, or signing profiles.grant.revokedbut leaves general event ordering, acknowledgement, replay cursor, retention, and backpressure to proposal #26.agent_delegationgrant type or IANA value.Notes
https://github.com/0al-spec/agent-surface/authorization-details/agent-grantas its collision-resistant identifier.