[0.5.0] Enterprise Access Control — release tracking

[erichare]

AI Workbench 0.5.0 — Enterprise Access Control

Tracking issue for the 0.5.0 release. Turns the access-control story from prototype + coarse roles into enforced, fine-grained, audited — safe for on-prem/self-hosted enterprises to run multi-team retrieval workloads where "who can see what" actually holds at the data plane.

Milestone: 0.5.0 — Enterprise Access Control · ~1 quarter · open to larger rework · full quality bar (cross-runtime conformance · 80%+ coverage on new code · Playwright E2E · docs + what's-new + migration notes).

Key finding: two of three must-haves are partially built — the policy engine + REST enforcement exist (gaps: chunk tagging, agent retrieval, admin UI); client-side MCP tool-calling shipped in 0.4.0 (remaining: hardening + scoping). The release is correctness + integration + one new scope axis, not greenfield.

Feature ① — RLAC enforcement (flagship) epic:rlac

• [0.5.0][RLAC P0] Data-plane truth: stamp chunk visibility + shared filter interpreter #290 — P0 Data-plane truth: stamp chunk visibility + shared filter interpreter (foundational)
• [0.5.0][RLAC P1] Close read holes: enforce chunk listing + re-tag chunks on visibility change #291 — P1 Close read holes: chunk listing + re-tag on visibility change
• [0.5.0][RLAC P2] Agent RAG enforcement (flagship): apply RLAC to agent retrieval #292 — P2 Agent RAG enforcement (the flagship hole)
• [0.5.0][RLAC P3] Backfill + migration: re-tag existing chunks + rlacChunkSchemaVersion gate #293 — P3 Backfill + migration + rlacChunkSchemaVersion gate
• [0.5.0][RLAC P4] Admin UI: principals, policy audit, view-as, visibility picker, access explorer #294 — P4 Admin UI (principals, policy audit, view-as, visibility picker, access explorer)
• [0.5.0][RLAC P5] Conformance fixtures + docs rewrite #295 — P5 Conformance fixtures + docs rewrite

Feature ② — Fine-grained auth scopes epic:auth-scopes

• [0.5.0][AUTH P0] Scope taxonomy + containment primitive (additive, no behavior change) #296 — P0 Scope taxonomy + containment primitive (additive, no behavior change)
• [0.5.0][AUTH P1] Route to fine-scope mapping + legacy-key regression sweep #297 — P1 Route→fine-scope mapping + legacy-key regression sweep
• [0.5.0][AUTH P2] MCP per-tool fine scopes #298 — P2 MCP per-tool fine scopes
• [0.5.0][AUTH P3] API + conformance fixtures for fine scopes #299 — P3 API + conformance fixtures
• [0.5.0][AUTH P4] Audit: structured requiredScope on denials #300 — P4 Audit: structured requiredScope on denials
• [0.5.0][AUTH P5] UI: API-key scope picker (presets + custom tree) #301 — P5 UI: API-key scope picker (presets + custom tree)
• [0.5.0][AUTH P6] CLI: aiw key create/list/revoke #302 — P6 CLI: aiw key create/list/revoke
• [0.5.0][AUTH P7] Docs + migration notes for scopes #303 — P7 Docs + migration notes

Feature ③ — Agent MCP tool-calling epic:mcp-tools

• [0.5.0][MCP P0] Correct the stale roadmap line #304 — P0 Correct the stale roadmap line
• [0.5.0][MCP P1] Save-time toolId validation (reject unresolved namespaced ids) #305 — P1 Save-time toolId validation
• [0.5.0][MCP P2] Discovery TTL cache (defer the persisted table) #306 — P2 Discovery TTL cache (defer the persisted table)
• [0.5.0][MCP P3] tools:invoke scope gating + audit mcpServerId/source #307 — P3 tools:invoke scope gating + audit mcpServerId/source
• [0.5.0][MCP P4] UI: server-grouped tool picker + schema display + dangling warning #308 — P4 UI: server-grouped picker + schema display + dangling warning
• [0.5.0][MCP P5] Conformance fixtures for MCP registry + catalog #309 — P5 Conformance fixtures for MCP registry + catalog
• [0.5.0][MCP P6] Full-loop integration + E2E hardening #310 — P6 Full-loop integration + E2E hardening

Release

• [0.5.0][Release] Final gate: conformance + E2E green, migration notes, CHANGELOG, version bump #311 — Final gate: conformance + E2E green, migration notes, CHANGELOG, version bump

Stretch (pull in if the quarter allows, in order) stretch

• [0.5.0][Stretch] OIDC claim to role/principal mapping #312 — OIDC claim → role/principal mapping (highest leverage for the flagship)
• [0.5.0][Stretch] RLAC expansion: conversations/agents + group/time predicates #313 — RLAC expansion: conversations/agents + group/time predicates
• [0.5.0][Stretch] Pluggable secrets backends (Vault / AWS Secrets Manager) #314 — Pluggable secrets backends (Vault / AWS Secrets Manager)
• [0.5.0][Stretch] Audit export hooks (webhook/file sink) #315 — Audit export hooks (webhook/file sink)

Suggested sequencing

• Milestone A (wk 1-4): [0.5.0][RLAC P0] Data-plane truth: stamp chunk visibility + shared filter interpreter #290 [0.5.0][RLAC P1] Close read holes: enforce chunk listing + re-tag chunks on visibility change #291 [0.5.0][RLAC P2] Agent RAG enforcement (flagship): apply RLAC to agent retrieval #292 [0.5.0][RLAC P3] Backfill + migration: re-tag existing chunks + rlacChunkSchemaVersion gate #293 ∥ [0.5.0][AUTH P0] Scope taxonomy + containment primitive (additive, no behavior change) #296 [0.5.0][AUTH P1] Route to fine-scope mapping + legacy-key regression sweep #297 — highest-risk correctness first.
• Milestone B (wk 5-8): [0.5.0][RLAC P4] Admin UI: principals, policy audit, view-as, visibility picker, access explorer #294 [0.5.0][RLAC P5] Conformance fixtures + docs rewrite #295 ∥ [0.5.0][AUTH P2] MCP per-tool fine scopes #298 [0.5.0][AUTH P3] API + conformance fixtures for fine scopes #299 [0.5.0][AUTH P4] Audit: structured requiredScope on denials #300 [0.5.0][AUTH P5] UI: API-key scope picker (presets + custom tree) #301 ∥ [0.5.0][MCP P0] Correct the stale roadmap line #304 [0.5.0][MCP P1] Save-time toolId validation (reject unresolved namespaced ids) #305 [0.5.0][MCP P2] Discovery TTL cache (defer the persisted table) #306 [0.5.0][MCP P3] tools:invoke scope gating + audit mcpServerId/source #307 (tools:invoke co-designed with [0.5.0][AUTH P0] Scope taxonomy + containment primitive (additive, no behavior change) #296).
• Milestone C (wk 9-11): [0.5.0][MCP P4] UI: server-grouped tool picker + schema display + dangling warning #308 [0.5.0][MCP P5] Conformance fixtures for MCP registry + catalog #309 [0.5.0][MCP P6] Full-loop integration + E2E hardening #310 ∥ [0.5.0][AUTH P6] CLI: aiw key create/list/revoke #302 [0.5.0][AUTH P7] Docs + migration notes for scopes #303 + top stretch ([0.5.0][Stretch] OIDC claim to role/principal mapping #312, then [0.5.0][Stretch] RLAC expansion: conversations/agents + group/time predicates #313).
• Milestone D (wk 12): [0.5.0][Release] Final gate: conformance + E2E green, migration notes, CHANGELOG, version bump #311 — gates green, CHANGELOG/what's-new, version bump, release.

Cross-cutting guardrails

• Conformance fixtures pin contracts for the future Python/Java runtimes without implementing them (runtime work is out of scope; do not touch runtimes/python/).
• Shared in-memory filter interpreter + mock-astra $or/$and support prevent silent mock/prod divergence.
• Scope vocabulary (tools:invoke/manage:access) shared between [0.5.0][AUTH P0] Scope taxonomy + containment primitive (additive, no behavior change) #296 and [0.5.0][MCP P3] tools:invoke scope gating + audit mcpServerId/source #307 — co-design in one review. manage:access key scope must not grant RLAC row-filter bypass.