FED-M3: mTLS handshake + list/get + scope enforcement #462

New Issue

Open

opened 2026-04-19 22:02:04 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-04-19 22:02:04 +00:00

Owner

Copy Link

Epic: Federation v1 — see docs/federation/PRD.md and docs/federation/MILESTONES.md.

Goal

Two federated gateways exchange real data over mTLS with scope intersecting native RBAC. This is the critical trust boundary.

Scope

• FederationClient (outbound): picks cert from federation_peers, mTLS call
• FederationServer (inbound): NestJS guard validates client cert, extracts grantId + subjectUserId, loads grant
• Scope enforcement pipeline:
  1. Resource allowlist / excluded-list check
  2. Native RBAC evaluation as the subjectUserId
  3. Scope filter intersection (include_teams, include_personal)
  4. max_rows_per_query cap
• Verbs: list, get, capabilities
• Gateway query layer: source: "local" | "federated:<host>" | "all"; fan-out + merge for "all"
• Federation E2E harness (tools/federation-harness/): docker-compose.two-gateways.yml, seed script, assertion helpers

Deliverables

• apps/gateway/src/federation/client/federation-client.service.ts
• apps/gateway/src/federation/server/federation-auth.guard.ts
• apps/gateway/src/federation/server/scope.service.ts
• apps/gateway/src/federation/server/verbs/{list,get,capabilities}.controller.ts
• apps/gateway/src/federation/client/query-source.service.ts (fan-out/merge)
• tools/federation-harness/ (compose + seed + test helpers)
• packages/types — federation.dto.ts

Acceptance Tests

• A→B list tasks returns subjectUser's tasks intersected with scope
• A→B list tasks with include_teams: [T1] excludes T2 tasks the user owns
• A→B get credential <id> returns 403 when credentials in excluded_resources
• Client with cert for grant X cannot query subjectUser of grant Y (cross-user isolation)
• Cert signed by untrusted CA rejected at TLS layer (no NestJS handler reached)
• Malformed SAN OIDs → 401; cert valid but grant revoked in DB → 403
• max_rows_per_query caps response; further results paginated
• source: "all" fan-out merges local + federated results, each tagged with _source
• Federation responses never persist: DB row count unchanged after list round-trip
• Scope cannot grant more than native RBAC: user without access to team T still gets [] even if scope allows T

Dependencies

Blocked by FED-M2.

Estimated budget

~40K tokens — largest milestone, most complex logic

Risk notes

Critical trust boundary. Code review must focus on scope-enforcement bypass and cert-SAN-spoofing paths. Every 403/401 path needs a test.

**Epic:** Federation v1 — see `docs/federation/PRD.md` and `docs/federation/MILESTONES.md`. ## Goal Two federated gateways exchange real data over mTLS with scope intersecting native RBAC. This is the critical trust boundary. ## Scope - `FederationClient` (outbound): picks cert from `federation_peers`, mTLS call - `FederationServer` (inbound): NestJS guard validates client cert, extracts `grantId` + `subjectUserId`, loads grant - Scope enforcement pipeline: 1. Resource allowlist / excluded-list check 2. Native RBAC evaluation as the `subjectUserId` 3. Scope filter intersection (`include_teams`, `include_personal`) 4. `max_rows_per_query` cap - Verbs: `list`, `get`, `capabilities` - Gateway query layer: `source: "local" | "federated:<host>" | "all"`; fan-out + merge for `"all"` - **Federation E2E harness** (`tools/federation-harness/`): docker-compose.two-gateways.yml, seed script, assertion helpers ## Deliverables - `apps/gateway/src/federation/client/federation-client.service.ts` - `apps/gateway/src/federation/server/federation-auth.guard.ts` - `apps/gateway/src/federation/server/scope.service.ts` - `apps/gateway/src/federation/server/verbs/{list,get,capabilities}.controller.ts` - `apps/gateway/src/federation/client/query-source.service.ts` (fan-out/merge) - `tools/federation-harness/` (compose + seed + test helpers) - `packages/types` — `federation.dto.ts` ## Acceptance Tests - [ ] A→B `list tasks` returns subjectUser's tasks intersected with scope - [ ] A→B `list tasks` with `include_teams: [T1]` excludes T2 tasks the user owns - [ ] A→B `get credential <id>` returns 403 when `credentials` in `excluded_resources` - [ ] Client with cert for grant X cannot query subjectUser of grant Y (cross-user isolation) - [ ] Cert signed by untrusted CA rejected at TLS layer (no NestJS handler reached) - [ ] Malformed SAN OIDs → 401; cert valid but grant revoked in DB → 403 - [ ] `max_rows_per_query` caps response; further results paginated - [ ] `source: "all"` fan-out merges local + federated results, each tagged with `_source` - [ ] Federation responses never persist: DB row count unchanged after `list` round-trip - [ ] Scope cannot grant more than native RBAC: user without access to team T still gets [] even if scope allows T ## Dependencies Blocked by **FED-M2**. ## Estimated budget ~40K tokens — largest milestone, most complex logic ## Risk notes Critical trust boundary. Code review must focus on scope-enforcement bypass and cert-SAN-spoofing paths. Every 403/401 path needs a test.

jason.woltje added this to the Federation v1 milestone 2026-04-19 22:02:04 +00:00

jason.woltje referenced this issue from a commit 2026-04-19 22:05:16 +00:00

docs(federation): PRD, milestones, mission manifest, and M1 task breakdown

jason.woltje referenced this issue 2026-04-19 22:05:31 +00:00

docs(federation): PRD, milestones, mission manifest, and M1 task breakdown #467

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/federation-m1-doctor

feat/federation-m1-migrate

feat/federation-m1-detector

feat/federation-m1-pgvector

feat/federation-m1-compose

feat/federation-m1-tier-config

docs/mvp-mission-manifest

docs/federation-planning

release/mosaic-v0.0.29

fix/installer-idempotent-creds

feat/framework-superpowers-enforcement

feat/install-ux-intent

feat/install-ux-polish

docs/iuv-m01-complete

fix/build-vitest-allowdefault

fix/bootstrap-hotfix

docs/install-ux-v2-scaffold

release/mosaic-v0.0.25

docs/iuh-mission-complete

feat/unified-first-run

docs/iuh-m02-complete

feat/wizard-remediation

feat/mosaic-macp-cli

fix/gateway-token-recovery-review

feat/mosaic-auth-cli

feat/mosaic-forge-cli-v2

feat/mosaic-storage-cli

feat/mosaic-memory-cli

feat/gateway-token-recovery

feat/mosaic-forge-cli

feat/mosaic-config-command

feat/mosaic-queue-cli

feat/mosaic-brain-cli

feat/mosaic-help-alphabetize

docs/gateway-token-recovery-plan

chore/bump-mosaic-0.0.21

fix/populate-known-packages-list

fix/publish-loud-errors

fix/gitea-org-rename

fix/gateway-install-ux

fix/rename-mosaic-scope-391

fix/db-memory-queue-publish-drift

fix/updater-wrapper-gitea-387

fix/config-package-version-drift

fix/updater-mosaic-package-382

fix/merge-cli-into-mosaic

fix/metapackage-cli-dep

chore/bump-cli-mosaic-0.0.16

fix/gateway-deprecation-warnings

fix/gateway-install-prefix-eacces

chore/gateway-default-port-14242

fix/gateway-scoped-registry

fix/gateway-install-registry

chore/bump-0.0.11

feat/gateway-local-tier

feat/task-1775219952-fix-add-build-tools-to-ci-install-step-for-better-sqlite3

fix/pnpm-build-scripts

fix/storage-sqlite-ci

feat/storage-abstraction

fix/idempotent-init

fed-v0.1.0-m1

mosaic-v0.0.29

mosaic-v0.0.28

mosaic-v0.0.27

mosaic-v0.0.26

mosaic-v0.0.25

mosaic-v0.0.24

v0.2.0

v0.1.0

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

Labels

No items

No Label

Milestone

No items

No Milestone Federation v1

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaicstack/stack#462