FED-M4: search verb + audit log + rate limit #463

New Issue

Open

opened 2026-04-19 22:02:07 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-04-19 22:02:07 +00:00

Owner

Copy Link

Epic: Federation v1 — see docs/federation/PRD.md and docs/federation/MILESTONES.md.

Goal

Keyword search over allowed resources with full audit and per-grant rate limiting.

Scope

• search verb across resources allowlist (intersection of scope + native RBAC)
• Keyword search only (pgvector search deferred to post-v1)
• Every federated request writes to federation_audit_log: grant_id, verb, resource, query_hash, outcome, bytes_out, latency_ms
• No request body captured; query_hash = SHA-256 of normalized query
• Token-bucket rate limit per grant (default 60/min, override per grant)
• 429 response with Retry-After and structured body
• 90-day hot retention; cold rollover deferred to FED-M7

Deliverables

• apps/gateway/src/federation/server/verbs/search.controller.ts
• apps/gateway/src/federation/server/audit.service.ts (async, non-blocking)
• apps/gateway/src/federation/server/rate-limit.guard.ts

Acceptance Tests

• search returns ranked hits only from allowed resources
• search excluding credentials returns no credential hits even when keyword matches
• Every successful request appears in federation_audit_log within 1s
• Denied request (403) also audited with outcome='denied'
• Audit row stores query hash, NOT query body
• 61st request in 60s window returns 429 with Retry-After
• Per-grant override (e.g., 600/min) takes effect without restart
• Audit writes are async: request latency unchanged when audit write slow

Dependencies

Blocked by FED-M3.

Estimated budget

~20K tokens

Risk notes

Audit writes must not block request path. Use bounded queue with drop-with-counter pattern, not in-line writes.

**Epic:** Federation v1 — see `docs/federation/PRD.md` and `docs/federation/MILESTONES.md`. ## Goal Keyword search over allowed resources with full audit and per-grant rate limiting. ## Scope - `search` verb across `resources` allowlist (intersection of scope + native RBAC) - Keyword search only (pgvector search deferred to post-v1) - Every federated request writes to `federation_audit_log`: `grant_id`, `verb`, `resource`, `query_hash`, `outcome`, `bytes_out`, `latency_ms` - No request body captured; `query_hash` = SHA-256 of normalized query - Token-bucket rate limit per grant (default 60/min, override per grant) - 429 response with `Retry-After` and structured body - 90-day hot retention; cold rollover deferred to FED-M7 ## Deliverables - `apps/gateway/src/federation/server/verbs/search.controller.ts` - `apps/gateway/src/federation/server/audit.service.ts` (async, non-blocking) - `apps/gateway/src/federation/server/rate-limit.guard.ts` ## Acceptance Tests - [ ] `search` returns ranked hits only from allowed resources - [ ] `search` excluding `credentials` returns no credential hits even when keyword matches - [ ] Every successful request appears in `federation_audit_log` within 1s - [ ] Denied request (403) also audited with `outcome='denied'` - [ ] Audit row stores query hash, NOT query body - [ ] 61st request in 60s window returns 429 with `Retry-After` - [ ] Per-grant override (e.g., 600/min) takes effect without restart - [ ] Audit writes are async: request latency unchanged when audit write slow ## Dependencies Blocked by **FED-M3**. ## Estimated budget ~20K tokens ## Risk notes Audit writes must not block request path. Use bounded queue with drop-with-counter pattern, not in-line writes.

jason.woltje added this to the Federation v1 milestone 2026-04-19 22:02:07 +00:00

jason.woltje referenced this issue from a commit 2026-04-19 22:05:16 +00:00

docs(federation): PRD, milestones, mission manifest, and M1 task breakdown

jason.woltje referenced this issue 2026-04-19 22:05:31 +00:00

docs(federation): PRD, milestones, mission manifest, and M1 task breakdown #467

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/federation-m1-doctor

feat/federation-m1-migrate

feat/federation-m1-detector

feat/federation-m1-pgvector

feat/federation-m1-compose

feat/federation-m1-tier-config

docs/mvp-mission-manifest

docs/federation-planning

release/mosaic-v0.0.29

fix/installer-idempotent-creds

feat/framework-superpowers-enforcement

feat/install-ux-intent

feat/install-ux-polish

docs/iuv-m01-complete

fix/build-vitest-allowdefault

fix/bootstrap-hotfix

docs/install-ux-v2-scaffold

release/mosaic-v0.0.25

docs/iuh-mission-complete

feat/unified-first-run

docs/iuh-m02-complete

feat/wizard-remediation

feat/mosaic-macp-cli

fix/gateway-token-recovery-review

feat/mosaic-auth-cli

feat/mosaic-forge-cli-v2

feat/mosaic-storage-cli

feat/mosaic-memory-cli

feat/gateway-token-recovery

feat/mosaic-forge-cli

feat/mosaic-config-command

feat/mosaic-queue-cli

feat/mosaic-brain-cli

feat/mosaic-help-alphabetize

docs/gateway-token-recovery-plan

chore/bump-mosaic-0.0.21

fix/populate-known-packages-list

fix/publish-loud-errors

fix/gitea-org-rename

fix/gateway-install-ux

fix/rename-mosaic-scope-391

fix/db-memory-queue-publish-drift

fix/updater-wrapper-gitea-387

fix/config-package-version-drift

fix/updater-mosaic-package-382

fix/merge-cli-into-mosaic

fix/metapackage-cli-dep

chore/bump-cli-mosaic-0.0.16

fix/gateway-deprecation-warnings

fix/gateway-install-prefix-eacces

chore/gateway-default-port-14242

fix/gateway-scoped-registry

fix/gateway-install-registry

chore/bump-0.0.11

feat/gateway-local-tier

feat/task-1775219952-fix-add-build-tools-to-ci-install-step-for-better-sqlite3

fix/pnpm-build-scripts

fix/storage-sqlite-ci

feat/storage-abstraction

fix/idempotent-init

fed-v0.1.0-m1

mosaic-v0.0.29

mosaic-v0.0.28

mosaic-v0.0.27

mosaic-v0.0.26

mosaic-v0.0.25

mosaic-v0.0.24

v0.2.0

v0.1.0

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

Labels

No items

No Label

Milestone

No items

No Milestone Federation v1

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaicstack/stack#463