Conversation
Replaces the legacy 'aim-' resource/identifier prefix and 'AIM_' env var prefix with the shorter 'isp-' / 'ISP_' to align with the repo's new identity-spiffe branding. - deploy.sh: env-name guard now accepts ^(identity-spiffe|isp-); RG discovery searches both rg-identity-spiffe* and rg-isp-*; fixed the misleading suggestion that previously recommended a non-conforming name - infra/main.bicep + main.parameters.bicepparam: resource prefixes, tag - scripts/, portal/, securityportal-mock/, src/budget-backend/: renamed identifiers and env vars - Docs and CLAUDE.md files updated - Tests updated (sanitizer input) Deliberately NOT renamed (separate, deeper refactor): - SPIFFE trust domains aim.microsoft.com / gcp.aim.microsoft.com / aws.aim.microsoft.com - Go package aimtls in src/spiffe-proxy - Frontend localStorage keys (aim_log_*, aim_pinned_agents) - agency.toml [agents.aim] Validated: bash -n clean, Python compile clean, 16/16 targeted tests pass, deploy.sh runs past the env guard into azd provisioning. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The verbose 'Identity Research for Agent Management Using SPIFFE *'
prefix on Entra-stored objects (blueprint, apps, groups, CA policy,
provisioner) was unreadably long in Azure Portal and in preflight
output, e.g.:
Identity Research for Agent Management Using SPIFFE Budget Backend
Agents [identity-spiffe]
Renamed Entra-display constants only — the project's prose name stays
'Identity Research for Agent Management Using SPIFFE' in README, docs,
mkdocs, and CLI banners. Only the strings Entra stores get the short
form.
New display names (preflight will now show):
- Blueprint: Agent Management Budget Backend Agents [<env>]
- Admin group: Agent Management Administrators
- Viewer group: Agent Management Viewers
- Management app: Agent Management Portal - Management [<env>]
- Security app: Agent Management Portal - Security Portal Mock [<env>]
- Provisioner: Agent Management Agent ID Provisioner
- CA policy: Agent Management: Block agents based on risk
Files:
- scripts/entra_scope.py: 5 LEGACY_*_DISPLAY_NAME constants
- scripts/entra_provisioning.py: PROVISIONER_APP_DISPLAY_NAME
- scripts/create-entra-agent-ids.py: PROVISIONER_APP_DISPLAY_NAME
- scripts/create-custom-attributes.py: CA_POLICY_NAME, OLD_CA_POLICY_NAME
(OLD points at the long-form name so any internal-test deployment
gets the policy renamed in-place on next provision),
ATTRIBUTE_SET_DESCRIPTION
- portal/app/clients/graph.py: fetch_ca_policies default display_name_filter
updated to 'Agent Management:' to match the new CA policy prefix
- deploy.sh: updated user-facing echo referencing the admin group name
- scripts/tests/test_entra_scope.py: 6 expected-string updates
Tests: scripts/tests/test_entra_scope (6) and portal/tests (39) pass.
deploy.sh passes bash -n.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Rename Entra-tracked object display names from the long 'Identity Research for Agent Management Using SPIFFE …' prefix to a shorter 'Agent Management …' prefix to avoid name-length blowup in scoped-mode environments. Renamed: - Blueprint, Portal management app, Security Portal app - Provisioner app, CA policy, CA-policy filter prefix - Portal auth groups (Administrators, Viewers) Portal/security-portal UI also updated to match (titles, sidebar brand, auth splash, access-denied messages, JWT validator role hint). Docs retain the long 'Identity Research for Agent Management Using SPIFFE' name where used as the project/repo description. The previous CA policy display name is kept as OLD_CA_POLICY_NAME so the existing cleanup path will delete the prior policy on next provisioning run. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
deploy.sh
- New --with-admin=<upn|oid> flag (repeatable, accepts UPN/email or
object ID) and ISP_INITIAL_ADMINS env var to seed the portal
Administrators group with one or more tenant users during deploy.
- Falls back to the signed-in az CLI user when neither is provided,
preserving prior behavior, and prints a tip pointing at the new
flag/env so first-time users discover it.
- Resolves UPN→OID via az ad user show, treats 'already a member' as
success, and surfaces clear messages for skipped/failed entries.
- Updated --help and top-of-file usage comments.
scripts/portal-members.sh
- New helper for post-deploy group membership management:
add-admin / add-viewer / remove-admin / remove-viewer / list
- Reads ISP_ADMIN_GROUP_ID / ISP_VIEWER_GROUP_ID from azd env.
Docs
- README.md and docs/getting-started/quickstart.md call out the
--with-admin requirement up front so portal sign-in doesn't fail
with 'Access Denied' on day one.
- scripts/CLAUDE.md scripts table lists portal-members.sh.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
When ./scripts/portal-members.sh add-admin/add-viewer or deploy.sh --with-admin=<email> targets a UPN that doesn't exist in the tenant, send a Microsoft Graph B2B invitation via /v1.0/invitations and then add the new guest object ID to the portal group. Pass --no-invite to portal-members.sh to disable. Requires the caller to hold the User.Invite.All Graph permission. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…aders The ingress proxy was stripping every X-Spiffe-* header to prevent a caller from spoofing X-SPIFFE-Caller-ID / X-SPIFFE-Trust-Domain. The overly-broad prefix match also stripped X-Spiffe-Admin-Key — the shared-secret header that admin-control-plane forwards to budget-backend on every /mgmt/* request. End result: portal /system-status calls admin-control-plane /admin/health, which proxies to budget-backend /mgmt/health, which returns 401 "Invalid or missing X-Spiffe-Admin-Key header" because the sidecar removed the credential mid-flight. The portal badge flips to LIVE FAILED and the dashboard cards show '?'. Fix: allow-list X-Spiffe-Admin-Key while still stripping the identity-bearing X-SPIFFE-* headers. Added a regression test in internal/inspect/http_test.go. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
README: - Drop the live 'Request Enforcement Flow' diagram from the portal's Enforcement Layers page right under the 'Enforcement model' table so readers see all four layers (mTLS → RBAC → OAuth/JWT → CA) visually before reading the words. - Add a 'Portal tour' section with the dashboard overview rendered full-width as the hero, plus clickable thumbnails for Test Calls and Enforcement Layers. Both link back to the full-size images. docs/index.md: - Mirror the enforcement-flow hero on the published landing page so the GitHub Pages site leads with the same visual. Images stored under docs/assets/portal/ so they ship with both the README and the mkdocs site. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Shows BudgetReport (finance) → EmployeeMenus (HR) blocked at the target by Conditional Access tag mismatch — JWT validates, risk is low, but the agent tags don't match and the response is a clean '403 agent_tag_mismatch' that names the deciding enforcement layer. Rounds out the Portal tour: SPIFFE-tunneled call (Test Calls) + per-layer status (Enforcement Layers) + cross-agent HTTPS path (A2A). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
By default azd down only removes Azure resources. The Blueprint app, its child Agent Identities + federated credentials, the Provisioner, Portal, and Security Portal Mock apps, and the Administrators/Viewers groups are tenant directory objects and survive teardown so the next ./deploy.sh can reuse them. Pass --purge-entra to also delete those objects (idempotent — skips anything already tombstoned) and clear the matching azd env vars so the next deploy provisions fresh objects from scratch. Required for a true clean-room first-run test. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Roll-up of the
devwork behind the recent demo deployments — naming, portal admin seeding, a real enforcement bug fix, and visual polish in the README.Highlights
Naming
aim-*→isp-*for resource prefixes (d4eaa20).8a11dbe,611263d). Long-form name preserved everywhere indocs/prose.Portal admin seeding
deploy.sh --with-admin=<upn>flag (repeatable) +ISP_INITIAL_ADMINSenv var. Falls back to the signed-inazuser when neither is set (2855699).scripts/portal-members.shhelper:add-admin / add-viewer / remove-admin / remove-viewer / list./v1.0/invitations(7d41dde). Pass--no-inviteto disable.az login" callout.Bug fix: portal flips to LIVE FAILED after deploy
spiffe-proxyingress was stripping everyX-Spiffe-*header on inbound requests to prevent caller-ID spoofing — but that also removedX-Spiffe-Admin-Key, the shared-secret credential thatadmin-control-planeforwards on every/mgmt/*call./system-status→ ACP/admin/health→ budget-backend/mgmt/healthreturned401 "Invalid or missing X-Spiffe-Admin-Key header"and the portal badge flipped to LIVE FAILED even though the deployment was healthy.3e9397e: allow-listX-Spiffe-Admin-Keywhile still stripping the spoofable identity-bearing headers. Regression test added insrc/spiffe-proxy/internal/inspect/http_test.go.README + docs visual polish
a74e63a).bf958a7) showing JWT-valid / risk-low traffic correctly denied at the target by a Conditional Access tag mismatch.docs/index.mdso the published GitHub Pages site leads with the visual after this merge.Why one PR
All eight commits were authored against the same live demo env this evening. Merging them together rebuilds the docs site (
.github/workflows/docs.ymlonly deploys on push tomain) so the renamed prefixes, screenshots, and quickstart copy land in one consistent published cut.Validation done
go test ./internal/inspect/... ./internal/rbac/...insrc/spiffe-proxy/: pass.python3 -m unittest discover -s scripts/tests: pass.bash -n deploy.shandbash -n scripts/portal-members.sh: clean.gentlesea-c0fa16e3deployment:/admin/agentsreturned 200,/admin/healthreturned 401 with the exact error message above, fix derived directly from that trace../scripts/portal-members.sh add-admin <upn>end-to-end including the B2B invite path.Co-author
Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com