Copilot Review Comments
PR #8185 (🔒 fix: route RBAC introspection through kc-agent (#7993 Phase 6)) was merged with 3 Copilot review comment(s) that should be addressed in a follow-up:
- pkg/agent/server_rbac.go:55:
handleCanIHTTP is a POST endpoint but it only calls setCORSHeaders(), which sets Access-Control-Allow-Methods to "GET, OPTIONS" by default (pkg/agent/server_http.go). Browser preflight request...
- web/src/hooks/useUsers.ts:706:
useClusterPermissions has an agentAuthHeaders() helper (with a comment explaining why the Authorization header should be omitted when no token is configured), but this new fetch path re-implements...
- pkg/agent/server_rbac.go:9: The file header comment says the old behavior was a “privilege-escalation vector”, but the PR description explicitly states the impact was cosmetic/UX (no privilege escalation because mutations alread...
PR: #8185
Auto-generated by copilot-comment-followup workflow
Copilot Review Comments
PR #8185 (🔒 fix: route RBAC introspection through kc-agent (#7993 Phase 6)) was merged with 3 Copilot review comment(s) that should be addressed in a follow-up:
handleCanIHTTPis a POST endpoint but it only callssetCORSHeaders(), which setsAccess-Control-Allow-Methodsto"GET, OPTIONS"by default (pkg/agent/server_http.go). Browser preflight request...useClusterPermissionshas anagentAuthHeaders()helper (with a comment explaining why the Authorization header should be omitted when no token is configured), but this new fetch path re-implements...PR: #8185
Auto-generated by copilot-comment-followup workflow