stack/apps/api/src/federation/guards/index.ts at 449ef39d96f2f81eb1ee59a9c0d30b5d0a4d28d0 - stack - Mosaic Gitea

mosaic/stack

Files

Jason Woltje 004f7828fb

ci/woodpecker/push/woodpecker Pipeline failed

Details

ci/woodpecker/pr/woodpecker Pipeline failed

Details

feat(#273 ): Implement capability-based authorization for federation

Add CapabilityGuard infrastructure to enforce capability-based authorization
on federation endpoints. Implements fail-closed security model.

Security properties:
- Deny by default (no capability = deny)
- Only explicit true values grant access
- Connection must exist and be ACTIVE
- All denials logged for audit trail

Implementation:
- Created CapabilityGuard with fail-closed authorization logic
- Added @RequireCapability decorator for marking endpoints
- Added getConnectionById() to ConnectionService
- Added logCapabilityDenied() to AuditService
- 12 comprehensive tests covering all security scenarios

Quality gates:
- ✅ Tests: 12/12 passing
- ✅ Lint: 0 new errors (33 pre-existing)
- ✅ TypeScript: 0 new errors (8 pre-existing)

Refs #273

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-03 19:53:09 -06:00

6 lines

74 B

TypeScript

Raw Blame History

 /**
  * Federation Guards Exports
  */
 export * from "./capability.guard";