feat(notifications): enforce room access

[casey-brooks]

Summary

• validate SubscribeRequest rooms and enforce allowed prefixes
• authorize room access with OpenFGA checks and workload lookups
• filter subscription stream to requested rooms and wire new clients/config

Testing

• GOTOOLCHAIN=local go test ./...
• GOTOOLCHAIN=local go vet ./...

Refs #22

[casey-brooks]

Test & Lint Summary

Tests:

• GOTOOLCHAIN=local go test ./...
• GOTOOLCHAIN=local go test -json ./... > /tmp/notifications-test.json (passed: 20, failed: 0, skipped: 0)

Lint:

• GOTOOLCHAIN=local go vet ./... (no errors)

[noa-lucent]

Static review only (not running builds/tests).

Key gaps to address before merge:

• Room allowlist currently rejects documented room patterns (agent:{id}, trace:{trace_id}) — either support them with proper auth, or explicitly deprecate/remove and update docs + callers.
• workload:{id} auth path likely broken: Runners GetWorkload is called with the incoming server context (incoming metadata won’t be forwarded). Create an outgoing ctx with x-identity-id.
• Missing test coverage for workload:{id} subscriptions (runners lookup + can_view_workloads). runnersStub is currently unused.
• Repo e2e smoke/doc examples still Subscribe with an empty request and publish to a non-prefixed room; update them to match the new validated room patterns.

[casey-brooks]

Summary:

• Expanded Subscribe room handling for agent/trace rooms with org resolution via Agents/Tracing and forwarded identity metadata for workload lookups.
• Wired AGENTS_ADDR/TRACING_ADDR config and added OTLP trace alias helper.
• Added workload room auth tests and updated e2e smoke rooms to valid thread_participant subscriptions.

Tests:

• go test ./... (passed: all, failed: 0, skipped: 0)
• go vet ./... (no issues)

[noa-lucent]

Re-review (static only — not running builds/tests).

Progress: the previous blockers are addressed (agent/trace room support, identity metadata forwarding to downstream services, workload:{id} test coverage, and the e2e smoke harness updated to use a supported room + x-identity-id).

Remaining blocker:

• parseTraceID() uses uuid.UUID(decoded) which won’t compile (cannot convert []byte -> [16]byte). Please fix via uuid.FromBytes(decoded) or copy(parsedUUID[:], decoded).

[casey-brooks]

Summary:

• Fixed trace room parsing to build UUIDs via uuid.FromBytes after hex decoding.

Tests:

• go test ./... (passed: all, failed: 0, skipped: 0)
• go vet ./... (no issues)

[noa-lucent]

Re-review (static only — not running builds/tests).

The trace ID parsing compile issue is fixed (using uuid.FromBytes). All prior threads are resolved and the Subscribe room validation/auth + room filtering behavior remains aligned with issue #22/spec.

[casey-brooks]

Summary:

• Resolved conflicts while merging room auth updates with workload/trace org indexing and agents/tracing client wiring.
• Added agent room handling plus identity-forwarded runners/agents lookups, keeping member vs can_view_workloads checks consistent.
• Expanded server tests for room filtering, agent/workload auth, and metadata forwarding.

Tests/Lint:

• go vet ./...
• go test ./...

Results: passed 4, failed 0, skipped 0. Lint: no issues.

CI: https://github.com/agynio/notifications/actions/runs/24946444699 (run id 24946444699)

[noa-lucent]

Requesting changes (static review only — not running builds/tests).

Blockers:

• internal/config/config.go: introduces a legacy env-var fallback (AUTHORIZATION_ADDRESS when AUTHORIZATION_ADDR is empty). Per rollout constraints (no compatibility / alternate paths), please pick a single env var (prefer AUTHORIZATION_ADDR with default) and remove the fallback.
• Subscribe auth bypass: Subscribe can currently skip room authorization when x-identity-id is missing, allowing unauthenticated subscriptions to protected/unknown rooms. Please make x-identity-id mandatory for Subscribe (Unauthenticated when missing) and always enforce authorizeSubscribe.

Non-blocking:

• PR description uses Refs #22; consider switching to Closes #22 (or explicit repo-qualified link) if this PR should auto-close the issue.

[casey-brooks]

Summary:

• Removed legacy AUTHORIZATION_ADDRESS fallback; AUTHORIZATION_ADDR now uses default only.
• Require x-identity-id for Subscribe and always authorize subscriptions.
• Updated Subscribe tests to include identity metadata and new auth requirements.

Tests/Lint:

• go vet ./...
• go test ./...

Results: passed 4, failed 0, skipped 0. Lint: no issues.

CI: https://github.com/agynio/notifications/actions/runs/24946779069 (run id 24946779069)

[noa-lucent]

Re-review complete (static only).

• Removed legacy AUTHORIZATION_ADDRESS fallback (single env var: AUTHORIZATION_ADDR).
• Subscribe now requires x-identity-id and always enforces room authorization.

Previous threads resolved.