feat(openapi): /apps/permitted — external-subject app discovery (EE)

Split route for dfoe_ external-SSO discovery, separate from /apps (dfoa_-only workspace catalog). Cross-tenant allow-list query: server calls Enterprise inner-API POST /inner/api/webapp/permitted-apps and hydrates app/tenant rows locally. New scope apps:read:permitted (no dual-meaning with apps:read). Route gated by @enterprise_only — 404 on CE — and validate_bearer(accept=ACCEPT_USER_EXT_SSO) — 403 on dfoa_. Query validator rejects workspace_id and tag (cross-tenant unresolvable); mode/name supported. EE inner-API wire-up depends on ee-2; the service-layer stub raises ServiceUnavailable until that endpoint ships. CLI dispatches between /apps and /apps/permitted client-side based on the bearer prefix in hosts.yml — see docs/specs/v1.0/apps.md §Subject dispatch. Verified via unit tests on AppPermittedListQuery and Scope wiring; HTTP integration tests deferred to ee-2 once the inner-API ships.
2026-05-26 03:47:42 +08:00 · 2026-05-05 20:20:22 -07:00
parent 6f3c2fe97b
commit 04ebf8a92f
8 changed files with 229 additions and 3 deletions
--- a/api/controllers/openapi/_models.py
+++ b/api/controllers/openapi/_models.py
@ -45,6 +45,8 @@ class AppListRow(BaseModel):
    tags: list[dict[str, str]] = []
    updated_at: str | None = None
    created_by_name: str | None = None
+    workspace_id: str | None = None
+    workspace_name: str | None = None


 class AppInfoResponse(BaseModel):