@shamsharoondraftchecks…codex/enhanced-link-permissions → master7 files · +828 −18updated 1w agoAdds a Hermes/Apollo public link-token-scoped endpoint for saving initial Enhanced Control permissions:
POST /api/v3/internal/connected_accounts/link/{token}/permissionspermission_config_version and risk-group choicesreadOnlyHint, destructiveHint) instead of copying the dashboard permissions manifest into HermesAlso updates the consumer permission resolver so no-row connected accounts only get the legacy account-wide always_allow override when the resolved default is legacy allow_all. Prompting defaults now fail closed when initial Enhanced Control rows were not saved.
This does not open or reuse internal-dashboard; the dashboard WorkOS/internal-dashboard flow stays dashboard-authenticated only. The public route is scoped to the existing link token capability, and the token holder cannot submit raw permission rows, tool slugs, toolkit slugs, source, risk group, or stored DB state directly.
Two subagent reviews were run before this PR. Security feedback found a fail-open bypass if the endpoint was skipped; this PR fixes that by preventing no-row accounts from resolving to always_allow under prompting defaults. Implementation feedback asked for route-owned OpenAPI schemas and field descriptions; this PR moved the schemas into the route.
Update the dashboard public enhanced link permissions route to call:
POST /api/v3/internal/connected_accounts/link/{token}/permissions
The dashboard should pass only permission_config_version plus groups. This PR intentionally keeps changes Hermes-only per scope.
git diff --check passedoxlint on changed Apollo files passedpnpm lint is currently blocked by pre-existing repo-wide lint failures unrelated to this difflocalhost:5432 with dummy env