Milestone 1.1.3: Auth Token Validation

Status: Complete
Goal: 1.1 Persistence and auth data plane

Summary

Implement auth service token validation: lookup PAT by prefix/hash, Argon2id verify, return permission bitmap and org context via gRPC. Fail closed on all errors.

Branch

feature/m1-1-3-auth-validate-token (merged)

PR title (example)

feat(auth): validate PAT against Postgres (m1.1.3)

Estimated effort

4–5 days

Prerequisites

• 1.1.1 merged
• 1.1.2 merged
• Local buf generate for Go gRPC stubs

Tasks

• Add gRPC server to services/auth (internal/grpc/)
• Config: gRPC listen port, Postgres pool
• Repository layer: tokens lookup by prefix (never log raw token)
• Service layer: Argon2id verify; map to ValidateTokenResponse
• Lookup uses app.is_service_account per ADR-0007 (org context returned in response, not set on session during validate)
• Wire gRPC + HTTP on shared process
• Unit tests: hash verify, invalid token, revoked token
• Integration tests: seed two orgs; cross-tenant cases
• Update services/auth/README.md with run instructions and grpcurl examples
• Metrics: validate latency histogram, error counter (low cardinality)

Files affected

Testing requirements

• Unit: Argon2id, permission mapping, error codes
• Integration: real Postgres + migrations; cross-tenant
• Contract: proto round-trip via integration + existing proto-contract CI

Documentation updates

• services/auth/README.md
• ENVIRONMENT_VARIABLES.md
• ADR-0007

Definition of done

• ValidateToken returns success for valid seeded token in dev DB
• Invalid/revoked/missing token returns unauthenticated without leaking existence
• No raw tokens in logs
• go test ./services/auth/... passes including integration
• /health and /ready still correct

Merge

Squash merge PR #16 → main at 5691dd8.

Risks