feat: express NHI + AI-agent ontology in the config schema [DRAFT / DO-NOT-MERGE]#136
Merged
Conversation
Lets a config author declare the non-human-identity ontology and AI agents
directly in the YAML grammar; the engine emits the matching baton-sdk traits.
Mirrors the NHI parity baton-axiomatic reached (PRs #145-#148), expressed
through baton-sql's config grammar instead of axiomatic's TS author surface.
- K1 secret/credential: map.traits.secret {credential_type, credential_detail,
expires_at, last_used_at} -> SecretTrait (TRAIT_SECRET).
- K2 service/system account: map.traits.user.account_type (already supported)
-> UserTrait.account_type; covered with a test.
- K3 non-human identity: map.non_human_identity {nhi_type, nhi_detail} ->
NonHumanIdentityTrait, kind-agnostic (sibling of traits; co-exists with any
or no primary trait).
- AI agent: map.traits.agent {status, identity_resource_type,
identity_resource_id, profile} -> AgentTrait (TRAIT_AGENT).
Additive and gracefully degrading: every field is optional, unknown enum
strings warn and fall back to UNSPECIFIED, existing configs are unchanged.
baton-sdk stays at v0.12.4 (already supersedes the v0.11.1 that introduced
these traits). Adds nhi_test.go and examples/nhi-example.yml.
Co-authored-by: c1-squire-dev[bot] <c1-squire-dev[bot]@users.noreply.github.com>
Contributor
Connector PR Review: feat: express NHI + AI-agent ontology in the config schema [DRAFT / DO-NOT-MERGE]Blocking Issues: 0 | Suggestions: 0 | Threads Resolved: 0 Review SummaryThe new commit adds a Security IssuesNone found. Correctness IssuesNone found. SuggestionsNone. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
CI's golangci-lint v2.11.4 flags the secret trait-config string literals as potential hardcoded credentials. Apply the same file-level //nolint:gosec convention used by user_syncer_test.go. Co-authored-by: c1-squire-dev[bot] <c1-squire-dev[bot]@users.noreply.github.com>
pquerna
approved these changes
Jun 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Lets a
baton-sqlconfig author declare the non-human-identity (NHI) ontology and AI agents directly in the YAML config grammar; the engine translates these declarations into the corresponding baton-sdk v2 traits/annotations.This mirrors the NHI parity
baton-axiomaticrecently reached (PRs #145–#148), expressed through baton-sql's config grammar instead of axiomatic's TypeScript author surface. The SDK traits emitted are identical.Mappings
map:)traits.secret.{credential_type, credential_detail, expires_at, last_used_at}SecretTrait+TRAIT_SECRETtraits.user.account_type(service|system|human)UserTrait.account_typeresources.go); covered with a testnon_human_identity.{nhi_type, nhi_detail}NonHumanIdentityTraittraits.agent.{status, identity_resource_type, identity_resource_id, profile}AgentTrait+TRAIT_AGENTEnum values
credential_type:static_secret|asymmetric_key|certificate(noapi_key, per the SDK enum).nhi_type:app_registration|assumable_role|managed_identity.agent.status:ready(active/enabled) |disabled(inactive) |deleted.Design notes
WithNHITypeis documented as combinable with any resource trait, and there is noResourceType_TRAIT_NHI. Sonon_human_identityis a sibling oftraits(not a member of it) and is applied inmapResourceafter the primary trait — a resource can be an app/role/user and a non-human identity, or an NHI with no other trait.map.traits.*likeuser/app, wired throughfetchTraits/mapTraitsand advertised viaextractTraits(TRAIT_SECRET/TRAIT_AGENT).Graceful degradation
Every new field is optional. Configs that don't use them parse and sync identically (existing examples untouched). Unknown enum strings log a warning and fall back to
UNSPECIFIEDrather than failing the sync.Tests / gates
pkg/bsql/nhi_test.go— a config exercising each mapping asserts the emitted traits (incl. app+NHI co-existence and a "no annotations by default" graceful-degradation case), plus a parse test for the shipped example.examples/nhi-example.yml— documented reference exercising all four.go build ./...✅ ·go test ./...✅ ·golangci-lint run— 0 new issues in changed files (4 pre-existing findings live in untouched files:provisioning.go,query_test.go,user_syncer_test.go).🤖 Generated with Claude Code
🏰 Opened from a Squire environment: fierce-cobra-24918
Task: f6700d26-0f2a-4581-867c-b4b39ecfa2fb
Open this environment in Squire