fix(authz): register build agents as resources

[rpatel-scale]

Summary

• Change /agents/register-build to call authorization_service.register_resource(...) for the returned agent resource instead of grant-only authz.
• Add a route-level unit test proving build-time agent registration writes the agent resource and does not fall back to grant.

Why

grant maps to Spark grant_resource_role, while register_resource maps to Spark resource lifecycle registration. Build-created agents need the lifecycle registration so downstream resources such as agent builds can use the agent as their parent resource.

Validation

• uv run python scripts/run_tests.py tests/unit/api/test_agents_register_build_authz.py
• uv run ruff check src/api/routes/agents.py tests/unit/api/test_agents_register_build_authz.py
• uv run ruff format --check src/api/routes/agents.py tests/unit/api/test_agents_register_build_authz.py

Greptile Summary

This PR fixes the authorization path for the /agents/register-build endpoint by replacing authorization_service.grant(...) with authorization_service.register_resource(...), which maps to Spark's resource lifecycle registration instead of a role-assignment operation. A new test file is added to explicitly verify the correct call is made and that grant is never invoked.

• agents.py: Single-line swap from grant to register_resource at the end of register_build, plus an updated docstring.
• test_agents_register_build_authz.py: New test file with a happy-path test and a re-entrant idempotency test that assert register_resource is called (and grant is not) on every invocation, including repeated calls for an already-existing agent.

Confidence Score: 5/5

Safe to merge — the change is a targeted one-line correction to the authz call, backed by a new test file that covers both the new-agent and re-entrant paths.

The route change is minimal and intentional: replacing grant with register_resource aligns the build-registration flow with Spark's resource lifecycle model. The new test file explicitly asserts the correct method is called and that grant is never invoked, including on repeated calls for the same agent. No logic outside the authz call was modified.

No files require special attention.

Important Files Changed

Filename	Overview
agentex/src/api/routes/agents.py	Single-line change swapping grant for register_resource on the register_build endpoint, with a matching docstring update. Logic is minimal and correct.
agentex/tests/unit/api/test_agents_register_build_authz.py	New unit test file covering both the happy path (new agent) and the re-entrant path (existing agent returned by register_build), asserting register_resource is called and grant is never called.

Sequence Diagram

sequenceDiagram
    participant Client
    participant register_build route
    participant authorization_service
    participant agents_use_case

    Client->>register_build route: POST /agents/register-build
    register_build route->>authorization_service: check(agent("*"), create, principal_context)
    authorization_service-->>register_build route: OK
    register_build route->>agents_use_case: register_build(name, description, ...)
    agents_use_case-->>register_build route: agent_entity
    register_build route->>authorization_service: register_resource(agent(agent_entity.id), principal_context)
    note over authorization_service: Spark resource lifecycle registration<br/>(was: grant_resource_role)
    authorization_service-->>register_build route: OK
    register_build route-->>Client: Agent response

Loading

_{Reviews (2): Last reviewed commit: "test(authz): cover reentrant build regis..." | Re-trigger Greptile}

[danielmillerp]

do we need this for deploys?

[asherfink]

cc @harvhan as this relates to our discussion too

i'm working on some changes rn that overlap w/ this

Edit: see updated #270