feat: add list-my-workspaces operation and document IAM in API specs (#961)

Add a new `list-my-workspaces` operation so non-admin users can discover which workspaces they have access to. For OSS IAM, regular users see their home workspace; admins see all workspaces. Also add the full IAM service to both OpenAPI and AsyncAPI specs — it was previously undocumented despite being a first-class service on both HTTP and WebSocket interfaces.
2026-06-24 14:18:05 +02:00 · 2026-05-29 19:17:37 +01:00 · 2026-05-29 19:17:37 +01:00 · 6564adad80
commit 6564adad80
parent 2a10e16c02
20 changed files with 689 additions and 2 deletions
--- a/trustgraph-flow/trustgraph/gateway/registry.py
+++ b/trustgraph-flow/trustgraph/gateway/registry.py
@ -309,6 +309,13 @@ register(Operation(
    extract_resource=_empty_resource,
    extract_parameters=_no_parameters,
 ))
+register(Operation(
+    name="list-my-workspaces",
+    capability="workspaces:list-own",
+    resource_level=ResourceLevel.SYSTEM,
+    extract_resource=_empty_resource,
+    extract_parameters=_no_parameters,
+))
 register(Operation(
    name="list-workspaces",
    capability="workspaces:admin",
--- a/trustgraph-flow/trustgraph/iam/noauth/handler.py
+++ b/trustgraph-flow/trustgraph/iam/noauth/handler.py
@ -106,7 +106,7 @@ class NoAuthHandler:
            ):
                return IamResponse()

-            if op == "list-workspaces":
+            if op in ("list-workspaces", "list-my-workspaces"):
                return IamResponse()

            if op in ("create-api-key", "list-api-keys", "revoke-api-key"):
--- a/trustgraph-flow/trustgraph/iam/service/iam.py
+++ b/trustgraph-flow/trustgraph/iam/service/iam.py
@ -68,6 +68,7 @@ _READER_CAPS = {
    "collections:read",
    "knowledge:read",
    "keys:self",
+    "workspaces:list-own",
 }

 _WRITER_CAPS = _READER_CAPS | {
@ -328,6 +329,8 @@ class IamService:
                return await self.handle_delete_user(v)
            if op == "create-workspace":
                return await self.handle_create_workspace(v)
+            if op == "list-my-workspaces":
+                return await self.handle_list_my_workspaces(v)
            if op == "list-workspaces":
                return await self.handle_list_workspaces(v)
            if op == "get-workspace":
@ -915,6 +918,30 @@ class IamService:
        row = await self.table_store.get_workspace(v.workspace_record.id)
        return IamResponse(workspace=self._row_to_workspace_record(row))

+    async def handle_list_my_workspaces(self, v):
+        if not v.actor:
+            return _err("invalid-argument", "actor required")
+
+        user_row = await self.table_store.get_user(v.actor)
+        if user_row is None:
+            return _err("not-found", "user not found")
+
+        user_roles = user_row[6] or []
+        is_admin = "admin" in user_roles
+
+        if is_admin:
+            rows = await self.table_store.list_workspaces()
+        else:
+            user_workspace = user_row[1]
+            row = await self.table_store.get_workspace(user_workspace)
+            rows = [row] if row else []
+
+        return IamResponse(
+            workspaces=[
+                self._row_to_workspace_record(r) for r in rows
+            ],
+        )
+
    async def handle_list_workspaces(self, v):
        rows = await self.table_store.list_workspaces()
        return IamResponse(