Context
As Tier 2 services build out, every service needs to verify caller permissions via identity's CheckPermission RPC. Rather than each service implementing this independently, service-runtime should provide a shared ConnectRPC interceptor.
Requirements
Why in service-runtime
This is cross-cutting infrastructure. Implementing it once in the shared runtime means all 20+ services get consistent permission enforcement with a one-line interceptor registration.
Dependencies
evalops/identity — CheckPermission RPC must exist firstevalops/proto — permission annotation proto options
Context
As Tier 2 services build out, every service needs to verify caller permissions via identity's
CheckPermissionRPC. Rather than each service implementing this independently, service-runtime should provide a shared ConnectRPC interceptor.Requirements
PermissionInterceptorthat extracts caller identity from request metadataCheckPermissionRPC with the caller, resource, and actionrequire: "meter:budget:write")permission_deniedwith descriptive message)Why in service-runtime
This is cross-cutting infrastructure. Implementing it once in the shared runtime means all 20+ services get consistent permission enforcement with a one-line interceptor registration.
Dependencies
evalops/identity—CheckPermissionRPC must exist firstevalops/proto— permission annotation proto options