http adapter: REST path params + PATCH/PUT/DELETE + broker pattern allow-list#39
Merged
TeoSlayer merged 4 commits intoJun 25, 2026
Merged
Conversation
…low-list
The HTTP adapter rails only supported GET/POST on static paths, and the broker
allow-list was exact-match. That can't express a REST API with path params
(e.g. AgentPhone's GET /v1/calls/{id} for call-status/transcript polling, the
non-websocket way to learn a call outcome) or PATCH/DELETE resources.
Generator (internal/scaffold):
- http.verb now accepts GET|POST|PATCH|PUT|DELETE (was GET|POST).
- http.path supports {name} placeholders; Resolve derives PathParams, Validate
requires each {name} to have a matching params: entry.
- one generic forward(): fills {name} from the payload (URL-escaped, dropped from
body/query), sends remaining fields as JSON body (POST/PATCH/PUT) or query
(GET/DELETE), preserving nested JSON in bodies. Adds a generic client.Do().
Broker (internal/broker):
- allow-list entries with a {seg} match any single non-empty path segment, so
REST path params don't each need enumerating; exact entries still fast-path.
The forward path already used r.Method, so PATCH/DELETE needed no change.
Tests: verb acceptance/rejection, path-param derivation + must-be-declared,
broker pattern matching (incl. empty-deny), and a managed-HTTP generate+compile
covering all five verbs + path params. Example spec documents the feature.
BrokerEntry captured the auth header name but dropped the scheme, so a Bearer
partner (e.g. AgentPhone: Authorization: Bearer <key>) was injected as a bare
Authorization: <key>. Parse a scheme prefix from the header value ("Bearer
managed" -> scheme "Bearer"; bare "managed" -> no scheme, e.g. x-api-key).
Test covers Bearer derivation + templated allow-path passthrough.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The HTTP adapter rails supported only GET/POST on static paths, and the broker allow-list was exact-match. That can't express a REST API with path params (e.g. AgentPhone's
GET /v1/calls/{id}for call-status/transcript polling — the non-websocket way to learn a call outcome) or PATCH/DELETE resources. This adds them, with tests.Generator (
internal/scaffold)http.verbacceptsGET|POST|PATCH|PUT|DELETE(was GET|POST).http.pathsupports{name}placeholders;ResolvederivesPathParams,Validaterequires each{name}to have a matchingparams:entry.forward(): fills{name}from the payload (URL-escaped, dropped from body/query), then sends remaining fields as a JSON body (POST/PATCH/PUT) or query string (GET/DELETE), preserving nested JSON in bodies. Adds a genericclient.Do().Broker (
internal/broker,internal/publish){seg}match any single non-empty path segment, so REST path params don't each need enumerating; exact entries still fast-path. The forward path already usedr.Method, so PATCH/DELETE needed no change.BrokerEntryderives the auth scheme (e.g.Bearer) from a managed submission header value, so a Bearer partner is injected asAuthorization: Bearer <key>.Tests (full suite green): verb accept/reject, path-param derivation + must-be-declared, broker pattern matching (incl. empty-deny), Bearer-scheme derivation, and a managed-HTTP generate→compile covering all five verbs + path params. Example spec documents the feature.