Skip to content

Add auth-native routing (Router): route tasks by scope-defined capability#39

Merged
Jacobobber merged 1 commit into
mainfrom
feat/auth-routing
Jul 8, 2026
Merged

Add auth-native routing (Router): route tasks by scope-defined capability#39
Jacobobber merged 1 commit into
mainfrom
feat/auth-routing

Conversation

@Jacobobber

Copy link
Copy Markdown
Owner

Auth-native routing (Router)

Route a task to a worker by capability, where capability is the auth scope set — the one differentiator the harness-comparison research kept calling out. Most harnesses route by name, tag, or a hand-maintained skills table that can drift from what an agent can actually do. hallpass already knows what each agent is allowed to do (its granted scopes, enforced at call time), so it routes on that same fact:

  • Router.register(worker, scopes) — declare a worker and the scopes its harness grants.
  • Router.route(required) — return a worker whose harness covers required, round-robin across the eligible ones; None if none is capable (visible, not a silent misroute onto an agent that would just get denied).
  • Router.candidates(required) — list every capable worker.

Because the routing key is the authorization key, a task can never be routed to an agent that isn't authorized to perform it — the failure the research flagged in tag/name routing. Pair it with dispatch or the durable TaskQueue: route first, then hand the task to the chosen worker.

Verification

  • tests/test_router.py — 6 tests: capability match, uncovered scope → not a candidate, superset harness matches, round-robin spread, None when none capable, thread-safe register/route.
  • Full suite: 292 passed (+6). mypy --strict, ruff (whole repo), and catalog-freshness all green.

Additive; no breaking changes. Closes out the last high-impact item from the competitive-performance research plan.

The differentiator the harness research called out. Route a task to a worker
whose harness (its granted scopes) covers the scopes the task needs:

- Router.register(worker, scopes); route(required) -> a capable worker
  (round-robin across eligible), or None if none is capable (visible, not a
  silent misroute); candidates(required) lists them.
- The same scopes that gate tool calls decide who is capable of a task, so work
  can't be routed to an agent that isn't authorized for it. Pair with dispatch
  or the task queue: route first, hand off to the chosen worker.

292 tests (+6), mypy --strict, ruff (whole repo), catalog freshness all green.
v1.6.0.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@Jacobobber Jacobobber merged commit ba7b0ec into main Jul 8, 2026
12 checks passed
@Jacobobber Jacobobber deleted the feat/auth-routing branch July 8, 2026 20:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant