Skip to content

feat: consider access-control gating for cost_incurred activity events #839

Closed
#937
Closed
feat: consider access-control gating for cost_incurred activity events#839
#937
Labels
prio:lowNice to have, can deferscope:smallLess than 1 day of workspec:apispec:securityDESIGN_SPEC Section 12 - Security & Approval Systemtype:featureNew feature implementationv0.5Minor version v0.5v0.5.3Patch release v0.5.3
@Aureliolo

Description

@Aureliolo
Aureliolo
opened on Mar 26, 2026

Context

The cost_incurred activity event exposes model names, token counts, and per-call USD costs in its description field. This data is visible to all users with OBSERVER role or above via GET /api/v1/activities.

Question

Should cost/financial data be gated behind a higher role (e.g., MANAGER/CEO) rather than OBSERVER? This is a design decision, not a code bug.

Options

  1. Gate cost_incurred events behind require_write_access (manager/CEO only)
  2. Strip model name and exact cost from descriptions for observer-role users
  3. Keep current behavior and document that cost data is visible to observers

Source

Found during PR #832 review (security-reviewer agent).

Metadata

Metadata

Assignees

No one assigned

    Labels

    prio:lowNice to have, can deferscope:smallLess than 1 day of workspec:apispec:securityDESIGN_SPEC Section 12 - Security & Approval Systemtype:featureNew feature implementationv0.5Minor version v0.5v0.5.3Patch release v0.5.3

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions