Skip to content

feat(ee): Gate service accounts behind entitlement#2582

Merged
daryllimyt merged 3 commits intomainfrom
codex/create-entitlement-for-api-key-access
Apr 30, 2026
Merged

feat(ee): Gate service accounts behind entitlement#2582
daryllimyt merged 3 commits intomainfrom
codex/create-entitlement-for-api-key-access

Conversation

@daryllimyt
Copy link
Copy Markdown
Contributor

@daryllimyt daryllimyt commented Apr 30, 2026
edited by cubic-dev-ai Bot
Loading

Motivation

  • Introduce a feature flag/entitlement for service accounts so the capability can be enabled/disabled per-organization/tier.
  • Prevent UI and API access to service accounts when the organization's service_accounts entitlement is not enabled.

Description

  • Frontend: added entitlement checks via useEntitlements, render EntitlementRequiredEmptyState when service accounts are disabled, and pass enabled flags to service account hooks (useOrganizationServiceAccounts, useWorkspaceServiceAccounts, useOrganizationServiceAccountScopes, useWorkspaceServiceAccountScopes) to avoid unnecessary queries.
  • Frontend: hide Service Accounts links in AppSidebar and OrganizationSidebar unless service_accounts entitlement is present and entitlements have finished loading.
  • Backend: added SERVICE_ACCOUNTS to Entitlement enum and included service_accounts in entitlement schemas and defaults (tiers/schemas.py, tiers/enums.py, tiers/defaults.py, tiers/types.py).
  • Backend: enforced entitlement checks for service account endpoints and operations by wiring a router-level dependency and applying @requires_entitlement(Entitlement.SERVICE_ACCOUNTS) on service methods, and by blocking API key auth if the organization is not entitled (auth/credentials.py, service_accounts/router.py, service_accounts/service.py).

Testing

  • No automated tests were run as part of this change.

Codex Task

Summary by cubic

Gate service accounts behind the org service_accounts entitlement across UI and API. When not entitled, the UI hides service accounts and API key auth for service accounts is rejected to meet the API key access gating requirement.

  • New Features

    • Added Entitlement.SERVICE_ACCOUNTS and wired service_accounts through tier schemas, types, defaults, and resolver.
    • Enforced entitlement on service account routes via a router Depends and on service methods via @requires_entitlement(Entitlement.SERVICE_ACCOUNTS).
    • Blocked API key authentication for service accounts when the org lacks service_accounts.
    • Frontend: hide Service Accounts in sidebars; show EntitlementRequiredEmptyState on settings pages; service account hooks accept an enabled flag to skip queries when not entitled.

  • Migration

    • Enable service_accounts for tiers/orgs that should use service accounts (defaults remain false, including OSS).

Written for commit 1614bb5. Summary will update on new commits. Review in cubic

@daryllimyt daryllimyt temporarily deployed to internal-registry-ci April 30, 2026 00:29 — with GitHub Actions Inactive
@daryllimyt daryllimyt had a problem deploying to internal-registry-ci April 30, 2026 00:30 — with GitHub Actions Failure
@zeropath-ai
Copy link
Copy Markdown

zeropath-ai Bot commented Apr 30, 2026
edited
Loading

No security or compliance issues detected. Reviewed everything up to 1b6c511.

Security Overview
Detected Code Changes
Change Type Relevant files
Enhancement ► frontend/src/client/schemas.gen.ts
    Add service_accounts field to EffectiveEntitlements and EntitlementsDict schemas
► frontend/src/client/types.gen.ts
    Add service_accounts field to EffectiveEntitlements and EntitlementsDict types
► frontend/src/components/organization/org-settings-service-accounts.tsx
    Implement logic to display service accounts settings based on entitlements
    Conditionally enable/disable service account fetching based on entitlement
► frontend/src/components/organization/workspace-service-accounts.tsx
    Implement logic to display service accounts settings based on entitlements
    Conditionally enable/disable service account fetching based on entitlement
► frontend/src/components/sidebar/app-sidebar.tsx
    Conditionally render service accounts link in sidebar based on entitlement
► frontend/src/components/sidebar/organization-sidebar.tsx
    Conditionally render service accounts link in organization sidebar based on entitlement
► frontend/src/hooks/use-service-accounts.ts
    Add enabled parameter to useOrganizationServiceAccounts and useOrganizationServiceAccountScopes
    Add enabled parameter to useWorkspaceServiceAccounts and useWorkspaceServiceAccountScopes
► tests/integration/test_service_account_api_keys.py
    Add fixture to enable service accounts entitlement for integration tests
► tests/unit/api/test_api_service_accounts.py
    Add fixture to enable service accounts entitlement for unit tests
► tests/unit/test_auth_credentials_api_keys.py
    Add fixture to enable service accounts entitlement for unit tests
    Test entitlement check before workspace resolution for API key authentication
► tests/unit/test_service_accounts_audit.py
    Add fixture to enable service accounts entitlement for unit tests
► tests/unit/test_service_accounts_pagination.py
    Add fixture to enable service accounts entitlement for unit tests
► tests/unit/test_service_accounts_update.py
    Add fixture to enable service accounts entitlement for unit tests
► tracecat/auth/credentials.py
    Add entitlement check for service accounts when authenticating API keys
► tracecat/service_accounts/router.py
    Add dependency to require service accounts entitlement for organization and workspace routers
► tracecat/service_accounts/service.py
    Add @requires_entitlement decorator to service account related methods
► tracecat/tiers/defaults.py
    Add service_accounts to default entitlements in OSS tier
► tracecat/tiers/enums.py
    Add SERVICE_ACCOUNTS entitlement enum
► tracecat/tiers/schemas.py
    Add service_accounts field to EffectiveEntitlements schema
► tracecat/tiers/service.py
    Add service_accounts entitlement resolution
► tracecat/tiers/types.py
    Add service_accounts field to EntitlementsDict type
Configuration changes ► tests/unit/test_tier_defaults.py
    Add service_accounts to default entitlements in tests

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 13 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1614bb5020

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread tracecat/service_accounts/router.py Outdated
Comment thread frontend/src/components/sidebar/app-sidebar.tsx Outdated
@blacksmith-sh

This comment has been minimized.

Sign in to view
@daryllimyt daryllimyt changed the title Gate service accounts behind org entitlement (frontend & backend) feat(ee): Gate service accounts behind entitlement Apr 30, 2026
@daryllimyt daryllimyt temporarily deployed to internal-registry-ci April 30, 2026 14:35 — with GitHub Actions Inactive
@daryllimyt daryllimyt temporarily deployed to internal-registry-ci April 30, 2026 14:35 — with GitHub Actions Inactive
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 19 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

@daryllimyt daryllimyt temporarily deployed to internal-registry-ci April 30, 2026 14:46 — with GitHub Actions Inactive
@daryllimyt daryllimyt temporarily deployed to internal-registry-ci April 30, 2026 14:47 — with GitHub Actions Inactive
@daryllimyt daryllimyt merged commit a599928 into main Apr 30, 2026
19 checks passed
@daryllimyt daryllimyt deleted the codex/create-entitlement-for-api-key-access branch April 30, 2026 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@daryllimyt