[User OBO Propagation] Per-user identity + access token propagation to worker tool handlers

[ChrisKrawczyk]

Summary

Six-phase delivery enabling downstream OBO consumers to perform OAuth2 On-Behalf-Of flows from worker tool handlers as the signed-in portal engineer rather than as the worker UAMI. ADO is the first anticipated consumer; future Graph/other consumers benefit from the same surface.

PilotSwarm now propagates a per-RPC user envelope from portal sign-in (MSAL acquisition with configurable downstream scope + offline_access) through an envelope-encrypted carrier (AKV-wrapped DEK + AES-256-GCM ciphertext) into a worker-side synchronous lookup (getUserContextForSession(sessionId)) plus a structured tool-outcome family (interactionRequired / serviceUnavailable) for principled error propagation back to the portal UI, including transport-level auto re-auth.

Subsequent compartmentalization work generalized the in-process tool extension surface: plugin.json now supports a tools field for app-tier tool plugins (atomic, fail-fast collision policy; PluginManifest exported as a public SDK type). The OBO live-smoke harness consumes this contract and is fully detached from the default deploy surface — production deploys carry zero smoke code, zero smoke env keys, and zero smoke-only configuration.

Architecture invariants

Codified in .github/copilot-instructions.md under "User OBO (User-On-Behalf-Of) Propagation":

• Wire field is envelope (carrying plaintext principal claims plus optional accessTokenCipher), not envelopeCipher. Plaintext principal claims flow on every worker-bound RPC; only the access token is encrypted.
• Three crypto backends in packages/sdk/src/envelope-crypto.ts selected by selectEnvelopeCrypto(env): AkvEnvelopeCrypto (production; AKV SDKs lazy-loaded so non-OBO consumers don't pull deps), InMemoryEnvelopeCrypto (tests), PlaintextEnvelopeCrypto (dev-only, with loud startup warning, sentinel kekKid: "plaintext-mode").
• KEK rotation safety: cipher records wrapResult.keyID (versioned URL) so prior-version retention covers in-flight envelopes when the KEK is rotated.
• accessToken: null is the universal absence signal (no token configured, system/orchestration session, AKV unwrap failure).
• Structured outcomes (packages/sdk/src/tool-outcomes.ts) with pinned reason codes (reauth_required | mfa_refresh | conditional_access | consent_required) — three-way machine-distinguishable from generic tool failure. The claims blob never reaches the LLM transcript; portal re-auth UI keys off reasonCode.
• Portal-side ~5-min near-expiry refresh; worker never persists refresh tokens.
• Single-tenant assumption; scope minimization (only configured PORTAL_AUTH_ENTRA_DOWNSTREAM_SCOPE is acquired).
• FR-014 trust boundary: worker tools must not synthesize principals from CMS owner when an envelope is absent — refuse or emit serviceUnavailable/interactionRequired.

Plugin contract & smoke compartmentalization

Folded in late in the cycle as a generalization of the OBO live-smoke harness:

• plugin.json gains an optional tools field — a string path to a JS module that exports registerTools(worker). The worker plugin loader invokes this hook at start() for app-tier plugins (pluginDirs); system/management tier ignore-with-warning.
• Tool registration is atomic and collision-safe: a ToolNameCollisionError from any contributor names both contributors, and no partial set of the offending plugin's tools remains registered. Loader is fully fail-closed (missing dirs, missing modules, missing exports, sync throw, async reject all halt startup).
• PluginManifest is exported from pilotswarm-sdk as a public TypeScript type so plugin authors can validate plugin.json at compile time. See docs/plugin-architecture-guide.md §7.
• The OBO live-smoke harness moved from examples/obo-smoke/ to packages/obo-smoke-plugin/ and consumes the same contract as any other app-tier plugin — no special-casing.
• Triple-conjunction opt-in to activate smoke on a stamp:
  1. --variant smoke worker image build (selects Dockerfile.worker's runtime-smoke target);
  2. deploy/envs/template.smoke.env overlay composed into the per-stamp env;
  3. PLUGIN_DIRS=/app/packages/obo-smoke-plugin set on the worker.
• Default deploys carry zero smoke code/config/deps. OBO_SMOKE_ENABLED is no longer a worker boot gate — it's a stamp marker the smoke driver preflights.
• Static-parse and directory-walk tests in deploy/scripts/test/ pin the multi-stage Dockerfile contract and prevent reintroduction of smoke env keys into the default surface.

Implementation history

• 2b7a80f envelope-crypto backends + UserContextStore foundation
• 62987b9 orchestration plumbing + portal/CLI envelope wiring on every worker-bound RPC; f9a7a95 carrier JSDoc fix
• 0f40d84 worker-affined getCurrentUserContextForSession lookup with chain resolution (sub-agent → root portal-bound parent at lookup time, with re-rooting support per FR-021)
• 72de0d1 portal MSAL downstream-scope acquisition + envelope encryption end-to-end
• 42d995e interactionRequired / serviceUnavailable structured tool outcomes (FR-008, FR-008b)
• c1c9bc4 examples/obo-smoke/ reference plugin (whoami via Graph /me, force_reauth against CA-protected scope) + docs/operations/obo-kek-runbook.md live-tenant smoke checklist
• c5c48df AKV KEK provisioning Bicep + deploy wiring + version bump 0.1.36; c327312 review fixes (missing @azure/keyvault-keys dep, worker overlay scope key, KID versioning, builder template)
• Final review fixes — 5c5bae0 smoke principal-shape access (F1), worker.stop finally block (F4), portal transport-level auto re-auth wire (F3) — debounced ~30s/session, global in-flight guard, fires getDownstreamToken({ interactive: true }) on interaction_required outcomes
• Skills + contributor docs — 3338fc8 new "User OBO Propagation" section in copilot-instructions.md; pilotswarm-tui SKILL updated to capture portal auto-reauth wire; pilotswarm-release SKILL adds OBO live-tenant smoke gate
• Plaintext-mode warning regression test — f05e1a4 3 new unit cases asserting console.warn fires from selectEnvelopeCrypto with the expected payload, and that AKV / null paths stay quiet
• Repeatable live-smoke primitives — e74f996 AKS-compatible smoke plugin backend (auto-selects client-secret vs workload-identity FIC), OBO_SMOKE_ENABLED deploy toggle, pilotswarm smoke <stamp> --profile obo CLI driver with JSON pass/fail, .github/workflows/live-smoke-obo.yml workflow_dispatch scaffold, and consolidated docs/operations/live-smoke.md. Closes the FR-015 "FIC out of scope for smoke plugin" gap and makes the npm-publish release gate (FR-018) a one-command operation
• Final-review must-fixes — bundled into e74f996: (1) AKV unwrap in-activity retry loop with [500ms, 2s, 5s] backoff before falling through to service_unavailable (FR-024 transient-retry compliance); (2) portal transport eventType/type normalization in browser-transport.js maybeTriggerInteractiveReauth with 6 new regression tests in portal-interactive-reauth.test.js
• Final-review should-fix + consider — c37d978: pinned InteractionRequiredReasonCode union + INTERACTION_REQUIRED_REASON_CODES set with reject-on-unknown enforcement in the interactionRequired() helper; .env.example OBO_KEK_KID example normalized to un-versioned form with explanatory comment matching docs/configuration.md and docs/operations/obo-kek-runbook.md
• Live-smoke deploy-pipeline plumbing — 6c97b7b: project OBO_SMOKE_WORKER_APP_TENANT_ID / _CLIENT_ID / _GRAPH_SCOPE + OBO_SMOKE_TEST_USER_UPN through deploy/envs/template.env, compose-env.mjs sentinel-fallback, and the worker overlay so flipping OBO_SMOKE_ENABLED=true on a stamp lands the smoke plugin's per-stamp downstream-app config in the worker ConfigMap automatically (no manual Secret edits, no worker image rebuild). On AKS the plugin uses workload-identity FIC; CLIENT_SECRET stays a local-dev escape hatch. pilotswarm-npm-deployer.agent.md and pilotswarm-new-env-deploy/SKILL.md updated with toggle workflow + post-deploy verification snippet
• Final docs sync — fdd41c7: CHANGELOG.md / docs/sdk/user-context.md / docs/operations/live-smoke.md updated to capture pinned reason-code enforcement and the deploy-pipeline plumbing for the smoke harness
• Deploy-scripts docs surface — 698213c: deploy/scripts/README.md documents OBO_KEK_KID + OBO_SMOKE_* knobs so operators see them in the canonical script reference, not just the per-stamp env
• Auto-provision OBO smoke worker AAD app — 23b731c: new deploy/scripts/auth/Setup-OboSmokeWorkerApp.ps1 (idempotent app-registration + service-principal + workload-identity FIC + un-versioned scope) takes the FR-018 release-gate smoke from "operator manually pre-creates the worker app" to a one-command bring-up for a fresh stamp. Wired into the npm-deployer agent + pilotswarm-new-env-deploy SKILL as a pre-step gated on OBO_SMOKE_ENABLED=true. New deploy/scripts/test/setup-obo-smoke-worker-app.test.mjs exercises 18 invariants (idempotency, FIC subject shape, scope un-versioned form, cross-file bicep contract). Fixes a real cross-file bug found by impl-review cycle 1: deploy/services/base-infra/bicep/main.bicep consumed Aks.outputs.oidcIssuerUrl internally but never emitted it as a top-level output, so the script's Resolve-OidcIssuerFromEnv would have thrown on every fresh stamp — INV-9 pins the contract going forward
• Final-review polish — 8d0aa9b: applied two findings from paw-final-review (PASS-WITH-OBSERVATIONS): (1) .github/copilot-instructions.md self-inflicted drift to the early-draft name getCurrentUserContextForSession corrected to the locked, shipped API name getUserContextForSession; (2) packages/sdk/src/types.ts InteractionRequiredReasonCode union and INTERACTION_REQUIRED_REASON_CODES ReadonlySet re-derived from a single private as const tuple so the type and runtime check can no longer silently drift. Public export shape unchanged (still ReadonlySet) — no breaking change to downstream consumers
• Internal phase-label cleanup — d807965: rewrites comments, docs, skills, and test describe blocks that referenced internal PAW workflow phases (e.g. "Phase 6", "Phase 7 — FR-026") to use the feature name ("User OBO"), the relevant spec FR, or nothing. Two test files renamed (phase3-* → obo-*). Surfaces unrelated to this PR (enterprise deploy roadmap in main.bicep, portal-authz roadmap, Foundry proposal phases, algorithm-internal dehydrate() step labels) deliberately left intact
• Persist OBO spec + neutralize internal-product references — df01c88: persists the User OBO Propagation spec to docs/specs/user-obo-propagation.md so the FR-XXX / SC-XXX citations scattered across source comments, docs, tests, and skills resolve to a real document in this repo. Replaces internal-product/cluster identifiers across 18 files (docs, skills, proposals, fixtures, builder templates, source comments) with neutral placeholders (downstream consumer / ExampleApp / <aks-cluster> / <resource-group>) so the OSS surface stays product-neutral
• Remove non-runnable live-smoke GHA workflow scaffold — 71a812e: the shipped .github/workflows/live-smoke-obo.yml could not actually run (loaded gitignored per-stamp .env, required Azure subscription / OIDC trust this repo does not provision). Removed the workflow + its actionlint-shape test, reworded FR-028 to "deferred — future work" with the gating prerequisites documented inline, and added a brief "CI workflow (future work)" section to docs/operations/live-smoke.md explaining how an operator can add one later. The CLI driver remains the supported local-operator path
• Plugin tools contract + OBO smoke plugin migration — 22fd8f9: introduces the tools field on plugin.json and the registerTools(worker) export contract (atomic, collision-safe, fail-closed); migrates the live-smoke harness from examples/obo-smoke/ to packages/obo-smoke-plugin/ consuming the new contract end-to-end. 17 new unit cases pin the contract's failure modes
• Default surface cleanup — 4d4b484: removes OBO_SMOKE_* blocks from deploy/envs/template.env, deploy/gitops/worker/overlays/default/.env, and the deploy/scripts/lib/compose-env.mjs sentinel-fallback. Adds deploy/envs/template.smoke.env as the opt-in overlay (operators copy these keys into a per-stamp env when running smoke). 3 new compose-env tests including a directory-walk invariant that prevents OBO_SMOKE_* from being reintroduced into deploy/scripts/lib/
• Multi-stage Dockerfile with opt-in smoke variant — cb0a915: splits Dockerfile.worker into base → runtime-smoke → runtime with runtime as the LAST stage, so bare docker build produces a smoke-free image. deploy/scripts/lib/build-image.mjs accepts variant: "default" | "smoke"; the smoke variant appends -smoke to the image tag and passes --target runtime-smoke to buildx. 5 static-parse tests (dockerfile-worker.test.mjs) + 1 call-site audit test (build-call-sites.test.mjs) pin the convention against future drift
• Documentation sweep — f28459f: 22-file sweep across operator docs (docs/operations/live-smoke.md, docs/specs/user-obo-propagation.md FR-025/026/027 reframing), schema-doc surfaces (plugin-architecture-guide, configuration, system-reference, building-apps for cli + sdk), skills (pilotswarm-new-env-deploy, pilotswarm-obo-smoke-app-reg, pilotswarm-aks-deploy, pilotswarm-release), agents (pilotswarm-npm-deployer), setup READMEs, plugin-internal docs, CHANGELOG, and .github/copilot-instructions.md. All examples/obo-smoke references updated to packages/obo-smoke-plugin; OBO_SMOKE_ENABLED reframed as a stamp marker rather than a worker boot gate
• Public PluginManifest type — 12fe822: re-exports the typed manifest interface from pilotswarm-sdk so plugin authors get TypeScript-level validation of their plugin.json contents. Corrects a pre-existing doc bug in docs/plugin-architecture-guide.md §7 (the example used object form for tools; the loader only accepts string form). 2 new unit cases verify the public re-export and validate the runtime shape of every checked-in plugin.json
• Drop internal phase-numbering leak — 878113a: rewrites a comment in packages/obo-smoke-plugin/tools.js that referenced internal PAW phase numbering (Phase-4 outcome family); the shipped source carries no internal workflow phase labels

Coordination with downstream consumer specs

Lookup contract and outcome taxonomy were locked through coordinated review with downstream consumer per-user-delegation work:

• Lookup return shape ({ principal, accessToken, accessTokenExpiresAt }) and accessToken: null semantics confirmed.
• Outcome reason-code taxonomy pinned; portal re-auth keys off reasonCode.
• Bicep oboKekUamiPrincipalIds array contract supports both single-UAMI and dual-UAMI (PilotSwarm reference shape) deployments via parameter file alone — no template fork.
• KEK shape locked: RSA 2048, wrapKey/unwrapKey only, 365-day auto-rotate with prior-version retention; un-versioned OBO_KEK_KID accepted, encrypt-time records versioned URL.
• Re-rooting (sub-agent → portal entry) covered by chain-resolution-at-lookup-time; downstream consumer tools require no special handling.

Operator-visible config

• Portal: PORTAL_AUTH_PROVIDER=entra, PORTAL_AUTH_ENTRA_TENANT_ID, PORTAL_AUTH_ENTRA_CLIENT_ID, PORTAL_AUTH_ENTRA_DOWNSTREAM_SCOPE (e.g. api://<worker-app>/.default offline_access).
• Worker: OBO_KEK_KID (full or unversioned AKV key URL), WORKLOAD_IDENTITY_CLIENT_ID.
• Both pods need Key Vault Crypto User on the OBO KEK AKV.
• Live-smoke (opt-in only): build worker image with --variant smoke, compose deploy/envs/template.smoke.env into the per-stamp env, set PLUGIN_DIRS=/app/packages/obo-smoke-plugin. See docs/operations/live-smoke.md.

Testing

• 70+ OBO-specific unit tests across envelope-crypto, obo-envelope-shape, obo-envelope-roundtrip, obo-no-plaintext-in-queue, obo-smoke-plugin-loadable, plugin-tools-contract, plugin-manifest-type — all pass.
• 215/215 deploy-script tests (including new dockerfile-worker.test.mjs, build-call-sites.test.mjs, and the directory-walk invariant guarding the default deploy surface against OBO_SMOKE_* reintroduction) — all pass.
• tsc --noEmit clean across packages.
• Live-tenant smoke checklist (docs/operations/live-smoke.md) — operator-run release gate; must be exercised on the publishing stamp before npm publish for any OBO-touching release. The pilotswarm-release SKILL now codifies this. Full feature spec lives at docs/specs/user-obo-propagation.md.

Pre-existing flakes (NOT caused by this PR)

• force-module.test.mjs — Node 24 mock.module API change, pre-dates this branch.
• 2 cases in obo-envelope-roundtrip.test.js — require live LLM provider env, expected to be skipped/red in offline CI.

Breaking changes

None. The envelope is additive on the wire (existing fields unchanged; new accessTokenCipher is optional). Workers without OBO crypto config fall back gracefully (selectEnvelopeCrypto returns null, plaintext principal-only envelopes continue to flow). Existing non-portal callers (local TUI hosts) are unaffected — getUserContextForSession returns null. Public getDownstreamToken({ interactive }) option is backwards-compatible (existing callers pass no args). The plugin tools field is purely additive; existing plugins without it keep working unchanged. The smoke harness path moved (examples/obo-smoke/ → packages/obo-smoke-plugin/) — operators are not expected to import from the old path; the Setup-OboSmokeWorkerApp.ps1 paste-block emits the new PLUGIN_DIRS line automatically.

Deployment

• Version bump to 0.1.36 across pilotswarm-sdk, pilotswarm-cli, pilotswarm-web.
• New runtime dep: @azure/keyvault-keys: ^4.10.0 (required when OBO is active; lazy-loaded otherwise).
• New env vars in worker overlay: OBO_KEK_KID, PORTAL_AUTH_ENTRA_DOWNSTREAM_SCOPE (sentinel __PS_UNSET__ keeps non-OBO deployments unchanged).
• Bicep AKV-KEK provisioning + RBAC parameterized via oboKekUamiPrincipalIds.
• Worker image is now multi-stage (Dockerfile.worker); default docker build resolves to the smoke-free runtime target. Smoke stamps must build with --variant smoke (docker buildx build --target runtime-smoke).
• Operator runbook: docs/operations/obo-kek-runbook.md.

Deferred (intentional, tracked in plan candidates)

• Structured PII redaction in queue payloads & log capture — separate follow-on workstream. Plaintext principal claims (email, displayName) ride on every worker-bound RPC envelope; data category is not new (already in cms.sessions.owner at rest), but the new wire surface increases the audit footprint from 3 → ~50 sites. Deferred so a future workstream can land redaction uniformly across both old and new sites rather than scope-creeping the OBO feature.
• Smoke driver extraction into a standalone pilotswarm-smoke package — deferred to its own spec; the driver currently lives inside pilotswarm-cli. Compartmentalization at the worker-image level (this PR) is sufficient for the OBO release.
• Generic plugin lifecycle hooks (init(worker) / dispose()) — deferred to its own spec; the tools field landed in this PR covers the immediate OBO need without committing to a broader lifecycle API.

🐾 Generated with PAW