docs: add ARCHITECTURE.md (current state); remove docs/service-api-architecture.md#63
Draft
emsearcy wants to merge 1 commit into
Draft
docs: add ARCHITECTURE.md (current state); remove docs/service-api-architecture.md#63emsearcy wants to merge 1 commit into
emsearcy wants to merge 1 commit into
Conversation
Replace the internal working doc docs/service-api-architecture.md (committed unintentionally in the implementation PR #39) with a canonical ARCHITECTURE.md at the repo root describing the current state of the system. Covers: - Overview with high-level elk flowchart - Client authn/authz: end-user OAuth2 JWT (PRM discovery, JWKS verify, scope gating), M2M client credentials, static API key stop-gap; stateless HTTP mode and per-request newServer() factory - Upstream authn/authz: CTE (RFC 8693) for end-user callers; MCP-server M2M V2 token for M2M/API-key callers; native V2 pass-through vs. MCP-brokered service APIs (OpenFGA gate + per-service M2M token) - Four end-to-end sequence diagrams covering all caller/upstream combinations Closes #27 (superseded by PR #39 / commit 8de2df8). 🤖 Generated with [GitHub Copilot](https://github.com/features/copilot) (via OpenCode) Signed-off-by: Eric Searcy <eric@linuxfoundation.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
docs/service-api-architecture.md, an internal working doc that was committed unintentionally as part of the implementation PR Service API layer with OAuth2 client credentials for service APIs. Onboarding dummy tool, LFX Lens prod tool #39 (commit8de2df8) rather than through the design-review PR Architecture: Service API authorization design (Option 4) #27. PR Architecture: Service API authorization design (Option 4) #27 has been closed as superseded.ARCHITECTURE.mdat the repo root describing the current state of the system.What's in the doc
§1 Overview — intro, transport modes, high-level elk flowchart showing all actors and data paths (clients, Auth0, MCP server internals, upstream APIs).
§2 Client Authentication & Authorization — stateless HTTP mode and per-request
newServer()tool-gating; end-user OAuth2 JWT (PRM discovery, JWKS verify, scope/claim extraction); M2M client credentials; static API key stop-gap (prose note only, no diagram).§3 Upstream Authentication & Authorization — CTE (RFC 8693) for end-user callers; MCP-server M2M V2 token for M2M/API-key callers; native LFX V2 pass-through vs. MCP-brokered service APIs (OpenFGA gate using the V2 token, then a separate per-service M2M client credentials token).
§4 End-to-End Flows — four sequence diagrams covering every caller/upstream combination:
get_committee)query_lfx_lens)search_projects)onboarding_list_memberships)Jira
ARCH-389
🤖 Generated with GitHub Copilot (via OpenCode)