refactor(authbridge): simplify PluginCapabilities — remove unused fields

[huang195]

Summary

• Remove 5 fields from PluginCapabilities that were deprecated or speculative infrastructure with no current plugin usage: BodyAccess, Reads, Writes, After, Claims
• Removing Reads/Writes as a pair also eliminates defaultSlots, WithSlots, and the slot-wiring validation block in validateCapabilities()
• PluginCapabilities goes from 9 fields to 5 — the surface a plugin author must understand is materially smaller

Result:

type PluginCapabilities struct {
    ReadsBody, WritesBody bool
    Requires    []string
    RequiresAny []string
    Description string
}

Why each field was removed

Field	Reason
BodyAccess	Deprecated alias for ReadsBody
Reads	No plugin declared it; slot-read validation was never triggered
Writes	Useless without Reads — the slot contract only works as a pair
After	Soft ordering; only appeared in tests, no plugin used it
Claims	Mutual exclusion; only appeared in tests, no plugin used it

Test plan

• go build ./authlib/... — clean
• go test ./authlib/pipeline/... ./authlib/plugins/... ./authlib/sessionapi/... ./authlib/listener/... — all 20 packages pass

Assisted-By: Claude Code

Summary by CodeRabbit

• Refactor

  • Simplified plugin capability model: removed legacy slot/ordering/claim fields and tightened body-mutation ordering rules.

• API Changes

  • Pipeline and plugin-catalog endpoints now return a reduced capability shape (readsBody plus dependency fields only).

• User Interface

  • CLI/TUI updated to reflect streamlined capabilities: removed Writes/After/Claims columns/sections and show body access via ReadsBody.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 757d0c0e-4e9a-462d-9a67-555b80e9ad2f

📥 Commits

Reviewing files that changed from the base of the PR and between a5a91a5 and cb0ccf9.

📒 Files selected for processing (3)

• authbridge/CLAUDE.md
• authbridge/docs/plugin-reference.md
• authbridge/docs/plugin-tutorial.md

💤 Files with no reviewable changes (1)

• authbridge/docs/plugin-tutorial.md

---

📝 Walkthrough

Walkthrough

Removes extension-slot capability fields and deprecated BodyAccess; simplifies PluginCapabilities to ReadsBody/WritesBody/Requires/RequiresAny/Description; pipeline validation, plugins, registry, session API, CLI/TUI, and tests updated; removes unused ClaimAuthorizationHeader constant.

Changes

Plugin Capability Model and Pipeline Validation Refactor

Layer / File(s)	Summary
Core plugin capability contract simplification authbridge/authlib/pipeline/plugin.go	PluginCapabilities struct is reduced to remove Reads, Writes, BodyAccess, After, and Claims; docs updated; Normalize() only promotes WritesBody→ReadsBody.
Pipeline construction and capability validation refactoring authbridge/authlib/pipeline/pipeline.go	Removed WithSlots option and extraSlots from pipeline options; validateCapabilities no longer enforces slot-wiring rules and instead enforces only body-mutation ordering constraints.
Plugin capability declarations update authbridge/authlib/plugins/*	Plugins and stubs now advertise ReadsBody/Description or empty capabilities instead of Writes/BodyAccess/other legacy fields (A2AParser, InferenceParser, JWTValidation, MCPParser, plugintesting).
Plugin registry relationship validation simplification authbridge/authlib/plugins/registry.go	validateRelationships now only validates Requires and RequiresAny; removed After and Claims validation; deep-clone copies Requires/RequiresAny.
Session API and CLI client wire schema reduction authbridge/authlib/sessionapi/server.go, authbridge/authlib/sessionapi/catalog_adapter.go, authbridge/cmd/abctl/apiclient/client.go	API wire structs (CatalogEntry, pipelinePluginView) and CLI client decoding now expose only ReadsBody, Requires, RequiresAny, and Description; removed legacy capability fields from JSON shapes.
TUI and CLI UI adjustments authbridge/cmd/abctl/tui/*	Removed WRITES column and Writes/After/Claims display; dependency indicators use only Requires/RequiresAny; plugin detail and catalog conversions updated.
Test suite updates authbridge/authlib/*, authbridge/cmd/abctl/*	Updated tests to match new capability model: body mutation normalization, capability assertions, registry tests, pipeline tests, listener tests, sessionapi and apiclient tests adjusted; removed tests that covered After/Claims semantics.
Unused claim contract removal authbridge/authlib/contracts/claims.go	Removed ClaimAuthorizationHeader constant; file emptied.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• kagenti/kagenti-extensions#449: Modifies the same capability surface (PluginCapabilities and /v1/pipeline / /v1/plugins wiring).
• kagenti/kagenti-extensions#447: Overlaps on pipeline wire model and TUI plugin rendering changes.
• kagenti/kagenti-extensions#461: Related session API / plugin-catalog wire-model changes.

Suggested reviewers

• cwiklik
• pdettori
• mrsabath

Poem

🐰 I hopped through code at break of day,
Removed old slots and cleared the way,
ReadsBody and Requires now lead the play,
Tests updated—snacks for QA! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 57.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly describes the main change: simplifying PluginCapabilities by removing five unused fields (BodyAccess, Reads, Writes, After, Claims), which aligns with the core objective of the PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

authbridge/cmd/abctl/apiclient/client_test.go (1)

154-159: ⚡ Quick win

Remove stale writes field from mock JSON.

The mock still includes "writes": ["x"] but the Writes field has been removed from the data model. While Go silently ignores unknown JSON fields so the test passes, this is misleading and should be cleaned up as part of this refactoring.

🧹 Proposed fix

 		_, _ = w.Write([]byte(`{
 			"plugins": [
-				{"name": "alpha", "description": "A plugin", "writes": ["x"]},
+				{"name": "alpha", "description": "A plugin"},
 				{"name": "beta", "requires": ["alpha"]}
 			]
 		}`))

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@authbridge/cmd/abctl/apiclient/client_test.go` around lines 154 - 159, The
test's mock JSON in authbridge/cmd/abctl/apiclient/client_test.go still contains
the removed "writes" field; update the mock payload written by the test handler
(the w.Write call that emits the plugins array) to remove `"writes": ["x"]` from
the "alpha" plugin object (and remove any other occurrences of the obsolete
Writes field in that test) so the sample matches the current data model used by
the client tests.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@authbridge/cmd/abctl/apiclient/client_test.go`:
- Around line 154-159: The test's mock JSON in
authbridge/cmd/abctl/apiclient/client_test.go still contains the removed
"writes" field; update the mock payload written by the test handler (the w.Write
call that emits the plugins array) to remove `"writes": ["x"]` from the "alpha"
plugin object (and remove any other occurrences of the obsolete Writes field in
that test) so the sample matches the current data model used by the client
tests.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 927e9dd9-570a-4fd0-8b01-051b39c0a815

📥 Commits

Reviewing files that changed from the base of the PR and between 01c9601 and a5a91a5.

📒 Files selected for processing (11)

• authbridge/cmd/abctl/apiclient/client.go
• authbridge/cmd/abctl/apiclient/client_test.go
• authbridge/cmd/abctl/edit/validate.go
• authbridge/cmd/abctl/edit/validate_test.go
• authbridge/cmd/abctl/tui/catalog_pane.go
• authbridge/cmd/abctl/tui/catalog_pane_test.go
• authbridge/cmd/abctl/tui/deps.go
• authbridge/cmd/abctl/tui/deps_test.go
• authbridge/cmd/abctl/tui/pipeline_pane.go
• authbridge/cmd/abctl/tui/plugin_detail_pane.go
• authbridge/cmd/abctl/tui/plugin_detail_pane_test.go

💤 Files with no reviewable changes (2)

• authbridge/cmd/abctl/tui/catalog_pane_test.go
• authbridge/cmd/abctl/tui/plugin_detail_pane_test.go

[pdettori]

Clean refactoring — comprehensive removal of 5 unused/deprecated fields from PluginCapabilities (BodyAccess, Reads, Writes, After, Claims). The struct goes from 9 fields to 5, materially reducing the surface a plugin author must understand.

Reviewed: pipeline validation logic, CLI/TUI sync, API wire format, test coverage, documentation updates.

• All 3 commits properly signed-off
• validateCapabilities() remains coherent (body-mutation ordering only)
• Test removals are complete — no stale assertions referencing deleted fields
• CodeRabbit's nit about "writes" in mock JSON is already addressed in the diff
• CI: all checks passing

Assisted-By: Claude Code