Filter archived realms from federated search (CS-11666)#5357
Merged
lukemelia merged 3 commits intoJun 30, 2026
Merged
Conversation
1 task
lukemelia
force-pushed
the
cs-11666-federated-search-excludes-archived-realms-server-client
branch
from
18620a0 to
032f6c1
Compare
lukemelia
changed the base branch from
main
to
cs-11665-enumeration-omits-archived-realms-from-_realm-auth-realm
lukemelia
force-pushed
the
cs-11666-federated-search-excludes-archived-realms-server-client
branch
from
032f6c1 to
8bbd247
Compare
lukemelia
force-pushed
the
cs-11665-enumeration-omits-archived-realms-from-_realm-auth-realm
branch
from
013586f to
f064e56
Compare
The original CS-11666 plan filtered archived realms inside handle-search. That filter is subsumed by the enumeration filter added in CS-11665 (#5358): once a realm is archived, the requester has no permission for it per fetchUserPermissions, so multi-realm-authorization 403s the request before handle-search runs. Drop the redundant handler- level filter and the bulk fetchArchivedRealmURLs helper that fed it. Keep one integration test on the federated-search endpoint to pin the user-facing contract: a federated search payload that names an archived realm gets 403, and the same request restricted to active realms still searches normally. The test exercises the full stack (handle-search → multi-realm-auth → fetchUserPermissions → realm_metadata.archived_at) so a future refactor of the enumeration layer can't silently weaken it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
lukemelia
force-pushed
the
cs-11666-federated-search-excludes-archived-realms-server-client
branch
from
8bbd247 to
894b79a
Compare
Contributor
lukemelia
changed the base branch from
cs-11665-enumeration-omits-archived-realms-from-_realm-auth-realm
to
main
The exact-key-set assertion picked up '*: read' system-realm permissions (boxel-homepage, catalog, openrouter, …) seeded by migrations into the template DB, since the public-read arm of fetchUserPermissions surfaces those for every user. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…arch-excludes-archived-realms-server-client # Conflicts: # packages/realm-server/tests/queries-test.ts
Contributor
There was a problem hiding this comment.
Pull request overview
This PR pins the federated-search authorization contract that archived realms must be rejected at the auth boundary (via fetchUserPermissions’ archived-realm filter) rather than returning any search hits.
Changes:
- Add an integration test for
/_federated-searchverifying that including an archived realm in therealmspayload returns403and names the archived realm URL in the error. - Add a companion assertion that the same query restricted to an active realm still returns results normally.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A federated search payload that names an archived realm must not return hits. The mechanism is the enumeration filter in
fetchUserPermissions: once a realm is archived, the requester has no permission for it per the filtered enumeration, somulti-realm-authorizationshort-circuits the request with 403 beforehandle-searchruns. The handler does no extra work.This PR adds one integration test on
/_federated-searchthat pins the contract end-to-end:The test exercises the full stack (
handle-search→multi-realm-authorization→fetchUserPermissions→realm_metadata.archived_at), so a refactor of the enumeration layer can't silently weaken the federated-search contract.Client-side backstop — deferred
_realm-authdoesn't carry archived realms, so the host'savailableRealmURLsdoesn't include them and a client-side filter is redundant. Deferred to a follow-up if a concrete reason emerges.Test plan
pnpm testinpackages/realm-server(server-endpoints/search-test) — requires Docker for the test PG; will verify in CI.