feat(api): Add workspace-scoped route aliases#2590
Merged
daryllimyt merged 6 commits intomainfrom May 5, 2026
Merged
Conversation
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
|
✅ No security or compliance issues detected. Reviewed everything up to 2dd2ab5. Security OverviewDetected Code ChangesThe diff is too large to display a summary of code changes. |
daryllimyt
force-pushed
the
workspace-scoped-route-aliases
branch
from
bf91168 to
a527926
Compare
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
changed the title
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6c28dc33b0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
force-pushed
the
workspace-scoped-route-aliases
branch
from
bd8ed67 to
a7268f8
Compare
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
…RouteRole and WorkspaceActorRouteRole across the codebase for improved route authorization consistency.
jordan-umusu
approved these changes
May 4, 2026
Collaborator
jordan-umusu
left a comment
jordan-umusu
left a comment
There was a problem hiding this comment.
skim lgtm, so long as the tests for the legacy version to guard against regression.
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/workspaces/{workspace_id}/...aliases for workspace-scoped public API routes while keeping the legacy flat routes registered as hidden compatibility aliases.Authorization: Bearer ...and keep it separate from executor bearer-token auth.RoleACLpath.API surface changes
Workspace-scoped public routes now expose the workspace in the path. The old flat routes still work at runtime, but they are hidden from OpenAPI so generated clients move to the canonical workspace-scoped shape.
Newly documented workspace aliases
This PR moves the public OpenAPI shape for these route prefixes under
/workspaces/{workspace_id}:The EE approval route is included in this migration:
/approvals/{session_id}is now documented as/workspaces/{workspace_id}/approvals/{session_id}.Existing workspace routes
These routes were already workspace-scoped before this PR and remain in OpenAPI as-is:
Before and after examples
GET /workflowsGET /workspaces/{workspace_id}/workflowsGET /cases/{case_id}GET /workspaces/{workspace_id}/cases/{case_id}POST /workflow-executionsPOST /workspaces/{workspace_id}/workflow-executionsGET /workflow-executions/search?workspace_id=...GET /workspaces/{workspace_id}/workflow-executions/searchPOST /approvals/{session_id}POST /workspaces/{workspace_id}/approvals/{session_id}POST /agent/skills:uploadPOST /workspaces/{workspace_id}/agent/skills:uploadGET /secretsGET /workspaces/{workspace_id}/secretsGET /integrationsGET /workspaces/{workspace_id}/integrationsWorkflow execution ID ergonomics
The old direct execution lookup took the full workflow execution ID as one path parameter:
For canonical execution IDs like
wf_abc/exec_def, clients had to treat the slash as part of the path parameter, so generated clients and manual callers needed to URL-encode the full ID, for example:This PR adds a workflow-scoped read route that splits the workflow ID and execution suffix into separate path parameters:
Example:
That route reconstructs the Temporal workflow execution ID as
wf_abc/exec_defserver-side, so clients no longer need to pass the slash-bearing full execution ID for the common read-by-workflow case. Direct execution routes still exist under the canonical workspace prefix for callers that already have the full execution ID.Routes intentionally left flat
Some routes are not workspace-prefixed because they are callbacks, public entrypoints, organization-level APIs, platform/admin APIs, or internal APIs. Notable examples:
/integrations/callback,/agent/channels/{channel_type}/{token},/agent/channels/slack/oauth/callback,/webhooks/{workflow_id}/{secret}/organization/...,/organization/service-accounts/...,/organization/secrets/...,/organization/vcs/.../admin/...,/settings/...,/registry/...,/feature-flags,/health,/ready/rbac/...,/watchtower/monitor/.../internal/...Validation
uv run ruff check ...uv run ruff format --check ...uv run basedpyright ...TRACECAT__SERVICE_KEY=test-service-key TRACECAT__SIGNING_SECRET=test-signing-secret uv run pytest tests/unit/test_role_acl.py tests/unit/apipnpm -C frontend checkpnpm -C frontend run typecheck