Cross-product feature request (governance/cross-product-feature-requests.md) — requester: platform-governance/orchestrator, owner: FuzeFront.
Need
The new policy (governance §1 + platform-services) makes FuzeFront the authN (Authentik OIDC SSO) + authZ (Permit.io) provider for every product, enforced by gate-authz. But there is no consumable client for products to adopt — so audits found products self-rolling auth (FuzeMarket #38 SHA-256 password store + self-minted tokens; FuzeDeploy #12 self-minted JWTs + local user store; FuzeX #7 no auth). They can't comply until FuzeFront ships the client.
Acceptance criteria
- Publish
@fuzefront/auth (private GitHub Packages, @fuzefront scope) — a thin client that verifies FuzeFront/Authentik identity tokens (JWKS), exposes requireUser() / req.user (Express) + Depends(get_current_user) (FastAPI) equivalents, and the authZ helpers (permit.check / requireOwnership) against the shared Permit PDP. Node + Python.
- An integration guide (how a product adopts FuzeFront auth: verify tokens, no local login/user-store/token-minting) — maintained by fuzefront-expert so consuming agents consult it, not FF's source.
- Notify the orchestrator with the package name/version + guide link, so the FuzeMarket/FuzeDeploy/FuzeX migrations can proceed.
Owner path
Plan in FuzePlan → develop via FuzeAgent → deploy/publish via FuzeDeploy → notify. Draft PR; no plan mode/AskUserQuestion.
STATE:
- done: policy + gate-authz live; violations identified
- remaining: @fuzefront/auth client (Node+Python) + JWKS verify + Permit authz helpers + integration guide
- next action: fuzefront-expert + backend-engineer scope the client from backend/src/middleware/permissions.ts (the reference)
@claude — pick this up per the owner path.
Cross-product feature request (governance/cross-product-feature-requests.md) — requester: platform-governance/orchestrator, owner: FuzeFront.
Need
The new policy (governance §1 + platform-services) makes FuzeFront the authN (Authentik OIDC SSO) + authZ (Permit.io) provider for every product, enforced by
gate-authz. But there is no consumable client for products to adopt — so audits found products self-rolling auth (FuzeMarket #38 SHA-256 password store + self-minted tokens; FuzeDeploy #12 self-minted JWTs + local user store; FuzeX #7 no auth). They can't comply until FuzeFront ships the client.Acceptance criteria
@fuzefront/auth(private GitHub Packages,@fuzefrontscope) — a thin client that verifies FuzeFront/Authentik identity tokens (JWKS), exposesrequireUser()/req.user(Express) +Depends(get_current_user)(FastAPI) equivalents, and the authZ helpers (permit.check/requireOwnership) against the shared Permit PDP. Node + Python.Owner path
Plan in FuzePlan → develop via FuzeAgent → deploy/publish via FuzeDeploy → notify. Draft PR; no plan mode/AskUserQuestion.
STATE:
@claude — pick this up per the owner path.