feat(#273): Add capability-based authorization for federation #305

Merged

jason.woltje merged 3 commits from work/m7.1-security into develop

2026-02-04 01:58:07 +00:00

Author	SHA1	Message	Date
jason.woltje	449ef39d96	Merge branch 'develop' into work/m7.1-security Some checks failed ci/woodpecker/pr/woodpecker Pipeline failed Details ci/woodpecker/push/woodpecker Pipeline failed Details	2026-02-04 01:57:27 +00:00
Jason Woltje	004f7828fb	feat(#273 ): Implement capability-based authorization for federation Some checks failed ci/woodpecker/push/woodpecker Pipeline failed Details ci/woodpecker/pr/woodpecker Pipeline failed Details Add CapabilityGuard infrastructure to enforce capability-based authorization on federation endpoints. Implements fail-closed security model. Security properties: - Deny by default (no capability = deny) - Only explicit true values grant access - Connection must exist and be ACTIVE - All denials logged for audit trail Implementation: - Created CapabilityGuard with fail-closed authorization logic - Added @RequireCapability decorator for marking endpoints - Added getConnectionById() to ConnectionService - Added logCapabilityDenied() to AuditService - 12 comprehensive tests covering all security scenarios Quality gates: - ✅ Tests: 12/12 passing - ✅ Lint: 0 new errors (33 pre-existing) - ✅ TypeScript: 0 new errors (8 pre-existing) Refs #273 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-03 19:53:09 -06:00
jason.woltje	dc1ed2a59e	Merge pull request 'Release: Merge develop to main (111 commits)' (#302 ) from develop into main Some checks failed ci/woodpecker/manual/woodpecker Pipeline failed Details ci/woodpecker/push/woodpecker Pipeline failed Details Reviewed-on: #302	2026-02-04 01:37:24 +00:00

Author

SHA1

Message

Date

jason.woltje

449ef39d96

Merge branch 'develop' into work/m7.1-security

ci/woodpecker/pr/woodpecker Pipeline failed

Details

ci/woodpecker/push/woodpecker Pipeline failed

Details

2026-02-04 01:57:27 +00:00

Jason Woltje

004f7828fb

feat(#273 ): Implement capability-based authorization for federation

ci/woodpecker/push/woodpecker Pipeline failed

Details

ci/woodpecker/pr/woodpecker Pipeline failed

Details

Add CapabilityGuard infrastructure to enforce capability-based authorization
on federation endpoints. Implements fail-closed security model.

Security properties:
- Deny by default (no capability = deny)
- Only explicit true values grant access
- Connection must exist and be ACTIVE
- All denials logged for audit trail

Implementation:
- Created CapabilityGuard with fail-closed authorization logic
- Added @RequireCapability decorator for marking endpoints
- Added getConnectionById() to ConnectionService
- Added logCapabilityDenied() to AuditService
- 12 comprehensive tests covering all security scenarios

Quality gates:
- ✅ Tests: 12/12 passing
- ✅ Lint: 0 new errors (33 pre-existing)
- ✅ TypeScript: 0 new errors (8 pre-existing)

Refs #273

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-03 19:53:09 -06:00

jason.woltje

dc1ed2a59e

Merge pull request 'Release: Merge develop to main (111 commits)' (#302 ) from develop into main

ci/woodpecker/manual/woodpecker Pipeline failed

Details

ci/woodpecker/push/woodpecker Pipeline failed

Details

Reviewed-on: #302

2026-02-04 01:37:24 +00:00

feat(#273): Add capability-based authorization for federation #305

3 Commits