From 82124c3145ab8803b87915498d9802b6ec3500d8 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Wed, 18 Mar 2026 22:10:48 +0100
Subject: [PATCH] fix: remove RBAC user_roles insert from agent registration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Agents are transient and should not be persisted in the users table.
The assignRoleToUser call caused a FK violation (user_roles → users),
resulting in HTTP 500 on registration. The AGENT role is already
embedded directly in the JWT claims.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../app/controller/AgentRegistrationController.java    | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/controller/AgentRegistrationController.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/controller/AgentRegistrationController.java
index f2c579b0..b0d81fd4 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/controller/AgentRegistrationController.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/controller/AgentRegistrationController.java
@@ -11,8 +11,6 @@ import com.cameleer3.server.app.security.BootstrapTokenValidator;
 import com.cameleer3.server.core.agent.AgentInfo;
 import com.cameleer3.server.core.agent.AgentRegistryService;
 import com.cameleer3.server.core.agent.AgentState;
-import com.cameleer3.server.core.rbac.RbacService;
-import com.cameleer3.server.core.rbac.SystemRole;
 import com.cameleer3.server.core.security.Ed25519SigningService;
 import com.cameleer3.server.core.security.InvalidTokenException;
 import com.cameleer3.server.core.security.JwtService;
@@ -52,20 +50,17 @@ public class AgentRegistrationController {
     private final BootstrapTokenValidator bootstrapTokenValidator;
     private final JwtService jwtService;
     private final Ed25519SigningService ed25519SigningService;
-    private final RbacService rbacService;
 
     public AgentRegistrationController(AgentRegistryService registryService,
                                         AgentRegistryConfig config,
                                         BootstrapTokenValidator bootstrapTokenValidator,
                                         JwtService jwtService,
-                                        Ed25519SigningService ed25519SigningService,
-                                        RbacService rbacService) {
+                                        Ed25519SigningService ed25519SigningService) {
         this.registryService = registryService;
         this.config = config;
         this.bootstrapTokenValidator = bootstrapTokenValidator;
         this.jwtService = jwtService;
         this.ed25519SigningService = ed25519SigningService;
-        this.rbacService = rbacService;
     }
 
     @PostMapping("/register")
@@ -102,9 +97,6 @@ public class AgentRegistrationController {
                 request.agentId(), request.name(), group, request.version(), routeIds, capabilities);
         log.info("Agent registered: {} (name={}, group={})", request.agentId(), request.name(), group);
 
-        // Assign AGENT role via RBAC
-        rbacService.assignRoleToUser(request.agentId(), SystemRole.AGENT_ID);
-
         // Issue JWT tokens with AGENT role
         List<String> roles = List.of("AGENT");
         String accessToken = jwtService.createAccessToken(request.agentId(), group, roles);