feat(#273): Add capability-based authorization for federation #305

Merged

jason.woltje merged 3 commits from work/m7.1-security into develop 2026-02-04 01:58:07 +00:00

Conversation 0 Commits 3 Files Changed 7 +646

jason.woltje commented 2026-02-04 01:56:33 +00:00

Owner

Copy Link

Implements capability-based authorization for federation endpoints. Closes #273.

Security Impact

• P0 (Critical Security Fix)
• Fail-closed authorization guard with audit logging
• 12/12 tests passing, 0 new lint/TS errors

Implementation

• CapabilityGuard with fail-closed security model
• @RequireCapability decorator for marking endpoints
• Connection validation and audit logging
• Comprehensive test coverage (12 tests, all passing)

Quality Gates:

• ✅ Tests: 12/12 passing
• ✅ Lint: 0 new errors (33 pre-existing)
• ✅ TypeScript: 0 new errors (8 pre-existing)

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

Implements capability-based authorization for federation endpoints. Closes #273. ## Security Impact - P0 (Critical Security Fix) - Fail-closed authorization guard with audit logging - 12/12 tests passing, 0 new lint/TS errors ## Implementation - CapabilityGuard with fail-closed security model - @RequireCapability decorator for marking endpoints - Connection validation and audit logging - Comprehensive test coverage (12 tests, all passing) **Quality Gates:** - ✅ Tests: 12/12 passing - ✅ Lint: 0 new errors (33 pre-existing) - ✅ TypeScript: 0 new errors (8 pre-existing) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

jason.woltje added 2 commits 2026-02-04 01:56:33 +00:00

Merge pull request 'Release: Merge develop to main (111 commits)' (#302) from develop into main ... dc1ed2a59e

Reviewed-on: #302

feat(#273): Implement capability-based authorization for federation ... 004f7828fb

Add CapabilityGuard infrastructure to enforce capability-based authorization
on federation endpoints. Implements fail-closed security model.

Security properties:
- Deny by default (no capability = deny)
- Only explicit true values grant access
- Connection must exist and be ACTIVE
- All denials logged for audit trail

Implementation:
- Created CapabilityGuard with fail-closed authorization logic
- Added @RequireCapability decorator for marking endpoints
- Added getConnectionById() to ConnectionService
- Added logCapabilityDenied() to AuditService
- 12 comprehensive tests covering all security scenarios

Quality gates:
- ✅ Tests: 12/12 passing
- ✅ Lint: 0 new errors (33 pre-existing)
- ✅ TypeScript: 0 new errors (8 pre-existing)

Refs #273

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

jason.woltje added 1 commit 2026-02-04 01:57:30 +00:00

Merge branch 'develop' into work/m7.1-security 449ef39d96

jason.woltje merged commit 3e15f39b3e into develop 2026-02-04 01:58:07 +00:00

jason.woltje referenced this issue from a commit 2026-02-04 01:58:09 +00:00

Merge pull request 'feat(#273): Add capability-based authorization for federation' (#305) from work/m7.1-security into develop

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#305