Skip to content

feat(core): support actor agent propagation#17487

Merged
abhiaiyer91 merged 1 commit into
mainfrom
graysonhicks/fga-system-actor-agent-propagation
Jun 11, 2026
Merged

feat(core): support actor agent propagation#17487
abhiaiyer91 merged 1 commit into
mainfrom
graysonhicks/fga-system-actor-agent-propagation

Conversation

@graysonhicks

@graysonhicks graysonhicks commented Jun 2, 2026

Copy link
Copy Markdown
Member

Stack

This is 3 of 3 for #17216.

What changed

Stacked on #17484.

This PR plumbs the explicit actor FGA signal through agent invocations and the agentic loop so trusted background work can execute without manufacturing a human membership.

  • Adds actor to agent generate/stream option surfaces and loop options.
  • Propagates the signal through the internal agent workflow, LLM loop, agentic workflow start/resume, tool-call execution options, sub-agent tools, workflow tools, and default workflow execution/re-entry paths.
  • Keeps the signal out of shared RequestContext state while still requiring organizationId for the FGA bypass from PR scaffold cli #1.
  • Adds focused regressions for agent FGA and agentic tool-call FGA trusted actors.
  • Documents the WorkOS trusted background-job usage alongside service-token/JWT claim guidance.

Validation

  • git diff --check
  • pnpm --filter ./packages/core exec vitest run src/agent/__tests__/agent-fga.test.ts src/loop/workflows/agentic-execution/tool-call-step.test.ts src/workflows/workflow.test.ts
  • pnpm --filter ./packages/core check
  • pnpm build:core

ELI5

This PR adds support for "trusted actor" propagation throughout the agent and workflow execution system. Imagine you have a scheduled background job that needs to run without a human user logging in—this PR gives that job a special "actor" credential that lets it execute safely while still respecting security checks, rather than needing to create a fake human membership just to get permission to run.

Summary

This PR implements actor signal propagation for agent and workflow execution, enabling trusted background jobs (like scheduled WorkOS cron jobs or system-triggered workflows) to execute with FGA authorization checks without requiring a human JWT or membership.

Key Changes

Type Signature Updates Across Execution Layers:

  • Added optional actor?: ActorSignal field to agent execution option surfaces (AgentGenerateOptions, AgentStreamOptions, AgentExecutionOptionsBase)
  • Extended loop options (LoopOptions) and model stream args to include the actor signal
  • Updated all workflow execution paths (WorkflowRunStartOptions, DefaultExecutionEngine.execute, execution handlers) to accept and propagate actor

Signal Propagation Through Execution Paths:

  • Agent generate(), stream(), resumeStream(), and resumeGenerate() now extract actor from options, pass it to FGA checks, and remove it from inner loop options to prevent duplication
  • Sub-agent tool execution and workflow tool execution extract invocation actor from context and forward it into called agent/workflow methods
  • Agentic workflow loop (tool-call-step.ts) receives actor from execution context and forwards it into tool options
  • All workflow execution handlers (control flow, entry, step) thread actor through to the execution engine

Authorization Enforcement:

  • #requireAgentExecutionFGA() now accepts an optional actor parameter and forwards it to the requireFGA call
  • Tool-call execution FGA checks now use checkFGA with both requestContext and actor context instead of local error construction

Documentation & Testing:

  • Updated WorkOS README with guidance on using actor for trusted background jobs, emphasizing that organizationId must be present in request context for FGA bypass
  • Added focused regression test for agent FGA with tenant-scoped system actors (agent-fga.test.ts)
  • Added tool-call step FGA test verifying that membership resolution is bypassed for trusted actors while tool execution proceeds normally

Design Notes

The actor signal is kept separate from shared RequestContext state while still requiring organizationId for the FGA bypass. This maintains clear separation between user-context and trusted-service-context while ensuring multi-tenant isolation.

@changeset-bot

changeset-bot Bot commented Jun 2, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 435e240

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 21 packages
Name Type
@mastra/core Minor
@mastra/auth-workos Patch
mastracode Patch
@mastra/mcp-docs-server Patch
@internal/playground Patch
@mastra/client-js Patch
@mastra/opencode Patch
@mastra/longmemeval Patch
mastra Patch
@mastra/deployer-cloud Minor
@mastra/react Patch
@mastra/playground-ui Patch
@mastra/server Minor
@mastra/deployer Minor
create-mastra Patch
@mastra/express Patch
@mastra/fastify Patch
@mastra/hono Patch
@mastra/koa Patch
@mastra/nestjs Patch
@mastra/temporal Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel

vercel Bot commented Jun 2, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
mastra-docs-1.x Ready Ready Preview, Comment Jun 11, 2026 7:12pm
mastra-playground-ui Ready Ready Preview, Comment Jun 11, 2026 7:12pm

Request Review

@coderabbitai

coderabbitai Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

This PR adds support for trusted background actors in agent and workflow execution by threading an optional actor signal (an ActorSignal object) through the execution stack. The change enables tenant-scoped system actors to bypass FGA membership checks while maintaining authorization via FGA context, supporting background workflows like cron jobs that lack JWT or human membership credentials.

Changes

Trusted Actor Signal Threading

Layer / File(s) Summary
Type definitions and actor signal imports
packages/core/src/agent/types.ts, packages/core/src/agent/agent.types.ts, packages/core/src/loop/types.ts, packages/core/src/workflows/types.ts, packages/core/src/workflows/step.ts, packages/core/src/workflows/execution-engine.ts, packages/core/src/workflows/default.ts
ActorSignal type is imported and new optional actor fields are added to AgentGenerateOptions, AgentStreamOptions, AgentExecutionOptionsBase, LoopOptions, WorkflowRunStartOptions, ExecuteFunctionParams, and execution engine interfaces.
Agent execution with actor signal threading
packages/core/src/agent/agent.ts, packages/core/src/llm/model/model.loop.ts, packages/core/src/agent/workflows/prepare-stream/map-results-step.ts
A new getInvocationActor() helper extracts actor from tool/workflow context. Agent methods generate, stream, resumeStream, and resumeGenerate extract actor from options, remove it from inner loop options, pass it to FGA checks, and include it in outer execution calls. Sub-agent tool delegation and workflow tool execution forward invocationActor into sub-agent/workflow calls. Model loop stream and prepare-stream map-results step wire actor through to execution context.
Tool execution FGA authorization with actor signal
packages/core/src/loop/workflows/agentic-execution/tool-call-step.ts
Tool-call-step now extracts actor from OuterLLMRun and forwards it into toolOptions. FGA authorization changes to dynamically import only checkFGA (instead of requireFGA), removes the local FGADeniedError path for missing user, and calls checkFGA with requestContext and actor to enable trusted actor bypass.
Agent FGA test with trusted actor
packages/core/src/agent/__tests__/agent-fga.test.ts
New test starts a Mastra instance with an in-memory PubSub and FGA provider, runs agent.generate with a tenant-scoped system actor, asserts that fgaProvider.require is not called (FGA membership bypass), and verifies model generation is invoked once.
Tool call FGA test with trusted actor
packages/core/src/loop/workflows/agentic-execution/tool-call-step.test.ts
New test validates that tool execution with a trusted system actor bypasses FGA require checks while still executing the tool with forwarded actor metadata and returning expected result fields.
Workflow execution engine with actor signal
packages/core/src/workflows/execution-engine.ts, packages/core/src/workflows/default.ts
Execution engine abstract interface and default implementation accept optional actor in execute and executeWorkflowStep methods and forward it through engine execution paths.
Workflow Run methods and helpers with actor signal
packages/core/src/workflows/workflow.ts
All public Run methods (stream, streamLegacy, resume, resumeStream, restart, timeTravel, timeTravelStream) and internal helpers (_start, _resume, _restart, _timeTravel) accept optional actor parameter and pass it through to executionEngine.execute calls.
Workflow control flow handlers with actor signal
packages/core/src/workflows/handlers/control-flow.ts, packages/core/src/workflows/handlers/entry.ts, packages/core/src/workflows/handlers/step.ts
Actor parameter is threaded through parallel, conditional, loop, foreach, entry, and step execution handlers. Actor is destructured from params, forwarded into all engine.executeStep calls, and injected into createDeprecationProxy context for condition/loop-condition evaluation.
Workflow loop stream with actor signal
packages/core/src/loop/workflows/stream.ts
Workflow loop stream now passes actor: rest.actor into both agenticLoopWorkflow run.resume and run.start calls alongside requestContext and toolCallId label.
Documentation and release notes
.changeset/funny-insects-love.md, .changeset/soft-rocks-smash.md, auth/workos/README.md
Changesets document minor version bump for core and patch bump for WorkOS auth. Documentation explains that trusted background workflows should provide the actor option on specific invocations and ensure request context includes organizationId; otherwise FGA checks for trusted actors are denied.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

  • #17216: This PR implements the proposal to support trusted system-actor FGA membership bypass, enabling background workflows without JWT or human membership to execute agent/workflow operations with FGA tenant scope validation.

Possibly related PRs

  • mastra-ai/mastra#17483: This PR introduces core requireFGA/checkFGA support for trusted system-actor bypass, which this PR depends on to implement the actor signal propagation through agent/workflow/tool FGA checks.
  • mastra-ai/mastra#17484: Both PRs thread an optional trusted actor signal through agent/workflow execution paths for FGA authorization, with overlapping changes in workflow run start and tool execution FGA call sites.
  • mastra-ai/mastra#17230: This PR builds on resumeAsync API by threading the new trusted actor signal through its execution and FGA check paths.

Suggested reviewers

  • abhiaiyer91
  • rphansen91
  • CalebBarnes
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'feat(core): support actor agent propagation' clearly and concisely summarizes the main change: adding support for propagating an actor signal through agent execution paths for trusted background work.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch graysonhicks/fga-system-actor-agent-propagation

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install timed out. The project may have too many dependencies for the sandbox.


Comment @coderabbitai help to get the list of available commands and usage tips.

@dane-ai-mastra

dane-ai-mastra Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

PR triage

Linked issue check skipped for core contributor @graysonhicks.


PR complexity score

Factor Value Score impact
Files changed 21 +42
Lines changed 300 +18
Author merged PRs 167 -20
Test files changed Yes -10
Final score 30

Applied label: complexity: medium


Changed test gate

Changed tests failed against the base branch as expected.

Label: tests: green ✅

@dane-ai-mastra dane-ai-mastra Bot added the tests: green ✅ Changed tests failed against base as expected label Jun 3, 2026
@graysonhicks graysonhicks force-pushed the graysonhicks/fga-system-actor-direct-call-sites branch from d8df49a to a3fb5f7 Compare June 3, 2026 17:09
@graysonhicks graysonhicks force-pushed the graysonhicks/fga-system-actor-agent-propagation branch from 0fcfdb0 to 479037d Compare June 3, 2026 17:09
graysonhicks added a commit that referenced this pull request Jun 9, 2026
## Stack

This is **1 of 3** for #17216.

- **1 of 3:** #17483 - core FGA signal (this PR)
- **2 of 3:** #17484 - direct FGA call-site propagation
- **3 of 3:** #17487 - agent propagation and WorkOS guidance

## What changed

This adds the core FGA primitive for trusted server-side system actors.
`requireFGA` and `checkFGA` now accept an explicit `systemActor` option,
require an `organizationId` in the request context before bypassing
provider membership resolution, and emit FGA telemetry with `actor_kind:
"system"` plus null user and membership IDs.

This PR intentionally stays limited to the core primitive. The follow-up
PRs in this stack plumb it through direct invocation boundaries and
agent/background paths.

## Validation

- `pnpm --filter ./packages/core exec vitest run
src/auth/ee/__tests__/fga-check.test.ts
src/auth/ee/__tests__/ee-telemetry.test.ts`
- `git diff --check`
- `pnpm build:core`
- `coderabbit review --plain --type uncommitted --base origin/main --dir
packages/core/src/auth/ee`

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## ELI5

This PR lets trusted server-side processes (system actors) perform
authorization checks without going through normal user membership
lookup, but only when an organization ID is present so it can't be
misused; it also logs these special accesses for auditing.

## Overview

First of three PRs implementing core Fine-Grained Authorization (FGA)
support for system actors. Adds a minimal, explicit signal for trusted
server-side checks so core FGA primitives can bypass provider membership
resolution safely and emit appropriate telemetry. Follow-ups will
propagate this signal across call boundaries and agents/background jobs.

## Key Changes

- New exported type: SystemActorSignal
- export type SystemActorSignal = true | { actorKind: 'system';
sourceWorkflow?: string }

- FGA function updates
  - checkFGA and requireFGA accept an optional systemActor option.
  - When a valid systemActor is provided:
- requireFGA/checkFGA derive the requestContext (must include
organizationId) and will throw if organizationId/tenant scope is
missing.
- Provider membership resolution is bypassed (no provider.require call).
- Enterprise telemetry is emitted with actor_kind: "system", and user_id
and organization_membership_id set to null.
- sourceWorkflow is taken from systemActor.sourceWorkflow if present,
otherwise from requestContext.metadata.sourceWorkflow.

- Non-system behavior
- Telemetry for non-system checks is tagged actor_kind: "user" and
normalizes absent user or membership IDs to null.
- Malformed or user-controlled systemActor values do not trigger the
trusted bypass and follow the normal provider path.

- Type/API adjustments
- requestContext was moved from RequireFGAOptions into CheckFGAOptions.
  - CheckFGAOptions gains systemActor?: SystemActorSignal.
  - RequireFGAOptions now inherits requestContext via CheckFGAOptions.
  - index.ts re-exports SystemActorSignal.

## Tests & Validation

- Added and updated tests in packages/core/src/auth/ee/__tests__:
- fga-check.test.ts: covers tenant-scoped workflow system actor bypass,
missing organizationId rejection, malformed/system-like-but-not-trusted
values, and ensuring user-supplied values are not trusted signals.
- ee-telemetry.test.ts: validates emitted ee_feature_used telemetry for
system actors (actor_kind: "system", null user/membership IDs, correct
source_workflow resolution).
- Changeset added and standard validation steps included (build, vitest
subset, git diff/check, coderabbit review).

## Scope & Next Steps

Scope limited to the core FGA primitive. Follow-up PRs will:
- Propagate the system actor signal at direct FGA call sites (`#17484`)
- Support agent/background propagation and WorkOS guidance (`#17487`)
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
@graysonhicks graysonhicks force-pushed the graysonhicks/fga-system-actor-agent-propagation branch from 479037d to dae00e8 Compare June 9, 2026 18:38
@graysonhicks graysonhicks force-pushed the graysonhicks/fga-system-actor-agent-propagation branch from dae00e8 to fd560df Compare June 9, 2026 19:21
@graysonhicks graysonhicks force-pushed the graysonhicks/fga-system-actor-agent-propagation branch from fd560df to 8df132c Compare June 11, 2026 15:06
@graysonhicks graysonhicks changed the title feat(core): support system actor agent propagation feat(core): support actor agent propagation Jun 11, 2026
graysonhicks added a commit that referenced this pull request Jun 11, 2026
## Stack

This is **2 of 3** for #17216.

- **1 of 3:** #17483 - core FGA actor signal
- **2 of 3:** #17484 - direct FGA call-site propagation (this PR)
- **3 of 3:** #17487 - agent propagation and WorkOS guidance

## What changed

Stacked on #17483.

This plumbs the core `actor` FGA signal into direct server-side
invocation boundaries:

- internal `Workflow.execute` FGA checks
- direct tool execution through `CoreToolBuilder`
- memory thread checks through `MastraMemory.checkThreadFGA`

This intentionally leaves agent public options, agentic loop tool-call
propagation, and workflow engine run/start propagation to #17487.

## Validation

- `git diff --check`
- `pnpm --filter ./packages/core exec vitest run
src/auth/ee/__tests__/fga-check.test.ts
src/auth/ee/__tests__/ee-telemetry.test.ts
src/workflows/workflow.test.ts src/tools/tool-builder/builder.test.ts
src/memory/memory-config.test.ts`
- `pnpm --filter ./packages/core check`
- `pnpm build:core`

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## ELI5

This PR lets trusted internal "system" processes pass a short "actor"
signal so workflows, tools, and memory checks can skip tenant membership
resolution and run directly when appropriate.

## Overview

Second of three PRs for issue `#17216`. It plumbs a trusted server-side
actor signal into direct server-side invocation boundaries in core so
tenant-scoped system actors can bypass nested FGA membership resolution
for internal calls. Applies to:
1. Internal workflow execution (Workflow.execute)
2. Direct tool execution via CoreToolBuilder
3. Memory thread authorization checks (MastraMemory.checkThreadFGA)

Agent-facing propagation and agentic loop/tool-call propagation are
deferred to `#17487`.

## Changes Made

### Core FGA signal
- Replaces the previous system-specific signal with a unified
ActorSignal and supports passing an actor signal (actor: ActorSignal)
into FGA checks and telemetry.

### Type updates
- Added optional actor?: ActorSignal to:
  - MastraToolInvocationOptions (packages/core/src/tools/types.ts)
  - ToolExecutionContext (packages/core/src/tools/types.ts)
- Exported ActorSignal from packages/core/src/auth/ee and updated
re-exports.

### Workflow execution
- Workflow.execute(...) now accepts an optional actor?: ActorSignal
parameter and forwards it into requireFGA(...) so internal workflow
invocation can use the trusted actor signal.
- Added a test ensuring tenant-scoped system/trusted actors bypass
membership resolution during direct workflow execution
(packages/core/src/workflows/workflow.test.ts).

### Tool execution
- CoreToolBuilder forwards execOptions.actor into the base tool
execution context for non-Vercel (Mastra) tools.
- FGA enforcement for tool execution includes actor: execOptions?.actor
in the requireFGA payload.
- Added a test verifying trusted-actor tool invocations bypass
tenant-scoped FGA resolution while still executing and forwarding actor
through tool execution context
(packages/core/src/tools/tool-builder/builder.test.ts).

### Memory thread checks
- MastraMemory.checkThreadFGA(options) now accepts actor?: ActorSignal
and includes it in the requireFGA payload.
- Added a test confirming thread membership resolution is bypassed for
tenant-scoped trusted actors
(packages/core/src/memory/memory-config.test.ts).

### FGA check behavior & telemetry
- requireFGA and related types now use actor?: ActorSignal and
isActorSignal. When the actor signal indicates a trusted/system actor,
requireFGA enforces the presence of requestContext.organizationId, emits
enterprise telemetry with actor_kind: 'system', and skips calling
fgaProvider.require. Non-actor requests behave as before (user auth
required and provider.require called), with user telemetry emitted.

### Tests & Validation
- New/updated unit tests across workflows, tools, memory, and EE
telemetry to cover trusted-actor bypass scenarios and ensure telemetry
and FGA provider calls behave as expected.
- Changesets updated to document the new minor release for
`@mastra/core` and show examples passing an actor to workflow.execute,
tool.execute, and MastraMemory.checkThreadFGA.

## API/Signature changes

- Public API surface updates:
- Workflow.execute(...) now accepts actor?: ActorSignal in its options.
- MastraMemory.checkThreadFGA(...) options now accept actor?:
ActorSignal.
- MastraToolInvocationOptions and ToolExecutionContext types now include
optional actor?: ActorSignal.
- ActorSignal type exported from packages/core/src/auth/ee (replaces the
prior system-specific type).

## Scope notes

- This PR only handles direct server-side invocation boundaries; agent
public options, agentic loop propagation, and engine run/start
propagation are handled in follow-up PR `#17487`.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Base automatically changed from graysonhicks/fga-system-actor-direct-call-sites to main June 11, 2026 19:01
@dane-ai-mastra dane-ai-mastra Bot added complexity: critical Critical-complexity PR and removed complexity: medium Medium-complexity PR labels Jun 11, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
packages/core/src/workflows/handlers/entry.ts (1)

333-352: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Forward actor in the standard parallel dispatch path.

At Line 333, engine.executeParallel(...) is invoked without actor, while other branches pass it. This drops trusted-actor context for normal parallel blocks and can cause unexpected FGA denials inside parallel step execution.

Proposed fix
   } else if (entry.type === 'parallel') {
     execResults = await engine.executeParallel({
       workflowId,
       runId,
       resourceId,
       entry,
       prevStep,
       stepResults,
       serializedStepGraph,
       timeTravel,
       restart,
       resume,
       executionContext,
       ...observabilityContext,
       pubsub,
       abortController,
       requestContext,
+      actor,
       outputWriter,
       disableScorers,
       perStep,
     });
   } else if (resume?.resumePath?.length && entry.type === 'conditional') {
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/core/src/workflows/handlers/entry.ts` around lines 333 - 352,
engine.executeParallel is being called without forwarding the actor, dropping
trusted-actor context for normal parallel execution; update the executeParallel
invocation in the entry handler to include the actor property (i.e., add actor,
like other branches that call engine.executeParallel) so the trusted actor is
passed through to the parallel executor (ensure the local variable actor is in
scope and forwarded in the arg object alongside workflowId, runId, resourceId,
etc.).
🧹 Nitpick comments (2)
packages/core/src/loop/types.ts (1)

158-159: ⚡ Quick win

Consider expanding the documentation for the actor field.

Same as the comment in agent.types.ts — the inline comment could better explain the use case (trusted background jobs, service tokens) to help developers understand when this parameter is appropriate.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/core/src/loop/types.ts` around lines 158 - 159, Update the inline
doc comment for the actor?: ActorSignal field to explain it's a trusted
server-side signal used for FGA/authorization checks (e.g., background jobs,
service tokens, system-level operations), clarify that it should only be set by
server-side code (not from user input), and mention any security considerations
such as verifying/issuing tokens and least-privilege usage; mirror the
explanatory style used for the actor comment in agent.types.ts to make intended
usage clear.
packages/core/src/agent/agent.types.ts (1)

477-478: ⚡ Quick win

Consider expanding the documentation for the actor field.

The inline comment is minimal for a public API parameter. Developers would benefit from understanding when to use this field (e.g., trusted background jobs, cron workflows without JWT/human membership).

Consider adding a JSDoc comment that explains the use case and links to relevant documentation.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/core/src/agent/agent.types.ts` around lines 477 - 478, Expand the
documentation for the actor field by replacing the terse inline comment on the
actor?: ActorSignal property with a JSDoc block that explains it is a trusted
server-side signal used for FGA/authorization checks (e.g., background jobs,
cron workflows, or other server-only callers that lack a user JWT or human
membership), outlines when to supply ActorSignal vs. relying on user tokens, and
includes a reference/link to the relevant docs or FGA policy page; update the
comment above the actor property (actor?: ActorSignal) so callers clearly
understand its intended use, security implications, and examples of appropriate
scenarios.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@packages/core/src/workflows/handlers/entry.ts`:
- Around line 333-352: engine.executeParallel is being called without forwarding
the actor, dropping trusted-actor context for normal parallel execution; update
the executeParallel invocation in the entry handler to include the actor
property (i.e., add actor, like other branches that call engine.executeParallel)
so the trusted actor is passed through to the parallel executor (ensure the
local variable actor is in scope and forwarded in the arg object alongside
workflowId, runId, resourceId, etc.).

---

Nitpick comments:
In `@packages/core/src/agent/agent.types.ts`:
- Around line 477-478: Expand the documentation for the actor field by replacing
the terse inline comment on the actor?: ActorSignal property with a JSDoc block
that explains it is a trusted server-side signal used for FGA/authorization
checks (e.g., background jobs, cron workflows, or other server-only callers that
lack a user JWT or human membership), outlines when to supply ActorSignal vs.
relying on user tokens, and includes a reference/link to the relevant docs or
FGA policy page; update the comment above the actor property (actor?:
ActorSignal) so callers clearly understand its intended use, security
implications, and examples of appropriate scenarios.

In `@packages/core/src/loop/types.ts`:
- Around line 158-159: Update the inline doc comment for the actor?: ActorSignal
field to explain it's a trusted server-side signal used for FGA/authorization
checks (e.g., background jobs, service tokens, system-level operations), clarify
that it should only be set by server-side code (not from user input), and
mention any security considerations such as verifying/issuing tokens and
least-privilege usage; mirror the explanatory style used for the actor comment
in agent.types.ts to make intended usage clear.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ab1bc5dc-063f-4a46-aa88-00fe665295ae

📥 Commits

Reviewing files that changed from the base of the PR and between 306909a and 435e240.

📒 Files selected for processing (21)
  • .changeset/funny-insects-love.md
  • .changeset/soft-rocks-smash.md
  • auth/workos/README.md
  • packages/core/src/agent/__tests__/agent-fga.test.ts
  • packages/core/src/agent/agent.ts
  • packages/core/src/agent/agent.types.ts
  • packages/core/src/agent/types.ts
  • packages/core/src/agent/workflows/prepare-stream/map-results-step.ts
  • packages/core/src/llm/model/model.loop.ts
  • packages/core/src/loop/types.ts
  • packages/core/src/loop/workflows/agentic-execution/tool-call-step.test.ts
  • packages/core/src/loop/workflows/agentic-execution/tool-call-step.ts
  • packages/core/src/loop/workflows/stream.ts
  • packages/core/src/workflows/default.ts
  • packages/core/src/workflows/execution-engine.ts
  • packages/core/src/workflows/handlers/control-flow.ts
  • packages/core/src/workflows/handlers/entry.ts
  • packages/core/src/workflows/handlers/step.ts
  • packages/core/src/workflows/step.ts
  • packages/core/src/workflows/types.ts
  • packages/core/src/workflows/workflow.ts

@abhiaiyer91 abhiaiyer91 merged commit bf8eb6d into main Jun 11, 2026
99 checks passed
@abhiaiyer91 abhiaiyer91 deleted the graysonhicks/fga-system-actor-agent-propagation branch June 11, 2026 23:26
tiffanybalc added a commit to tiffanybalc/mastra that referenced this pull request Jun 30, 2026
The @mastra/inngest execution engine now accepts a trusted `actor`
(ActorSignal) on its run/start path and re-threads it across durable
step and nested-workflow boundaries, so trusted background workflows on
the Inngest engine get the same FGA membership bypass the default engine
already has.

- run.ts: accept `actor` on start/startAsync/resume/resumeAsync/stream/
  streamLegacy/timeTravel and include it in each Inngest event payload.
- workflow.ts: read `actor` from event.data in the function handler and
  pass it to engine.execute().
- execution-engine.ts: forward `actor` into every nested
  inngestStep.invoke() so nested workflows re-thread it across the
  serialization boundary.

Mirrors core PR mastra-ai#17487 (default engine) for the durable runtime.
Refs mastra-ai#17216, mastra-ai#17487.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
tiffanybalc added a commit to tiffanybalc/mastra that referenced this pull request Jun 30, 2026
The @mastra/inngest execution engine now accepts a trusted `actor`
(ActorSignal) on its run/start path and re-threads it across durable
step and nested-workflow boundaries, so trusted background workflows on
the Inngest engine get the same FGA membership bypass the default engine
already has.

- run.ts: accept `actor` on start/startAsync/resume/resumeAsync/stream/
  streamLegacy/timeTravel and include it in each Inngest event payload.
- workflow.ts: read `actor` from event.data in the function handler and
  pass it to engine.execute().
- execution-engine.ts: forward `actor` into every nested
  inngestStep.invoke() so nested workflows re-thread it across the
  serialization boundary.

Mirrors core PR mastra-ai#17487 (default engine) for the durable runtime.
Refs mastra-ai#17216, mastra-ai#17487.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

complexity: medium Medium-complexity PR tests: green ✅ Changed tests failed against base as expected

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants