FED-M6: revocation + auto-renewal + CRL #465

New Issue

Open

opened 2026-04-19 22:02:14 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-04-19 22:02:14 +00:00

Owner

Copy Link

Epic: Federation v1 — see docs/federation/PRD.md and docs/federation/MILESTONES.md.

Goal

Grant lifecycle works end-to-end: admin revoke, revoke-on-delete, automatic cert renewal, CRL distribution.

Scope

• mosaic federation grant revoke <id> → status revoked, CRL updated, audit entry
• DB hook: deleting a user cascades revoke-on-delete on all grants where that user is subject
• Step-CA CRL endpoint exposed; serving gateway enforces CRL check on every handshake (cached CRL, 60s refresh)
• Client-side cert renewal job: at T-7 days, submit renewal CSR; rotate cert atomically; flush cache
• On renewal failure, peer marked degraded and admin-visible alert emitted
• Server A detects revocation on next request (TLS handshake fails with specific error) → peer marked revoked

Deliverables

• apps/gateway/src/federation/server/crl.service.ts + endpoint
• apps/gateway/src/federation/server/revocation.service.ts
• DB cascade trigger or ORM hook for user deletion → grant revocation
• apps/gateway/src/federation/client/renewal.job.ts (scheduled)
• packages/mosaic/src/commands/federation/grant.ts gains revoke subcommand

Acceptance Tests

• Admin grant revoke → A's next request fails with TLS-level error
• Deleting subject user on B auto-revokes all grants where that user was subject
• CRL endpoint serves correct list; revoked cert present
• Server rejects cert listed in CRL even if cert time-valid
• Cert at T-7 days triggers renewal; new cert issued and installed without dropped requests
• Renewal failure marks peer degraded and surfaces alert
• A marks peer revoked after revocation-caused handshake failure, NOT on transient network errors

Dependencies

Blocked by FED-M3. Can run in parallel with FED-M5.

Estimated budget

~20K tokens

Risk notes

Atomic cert swap during renewal is the sharpest edge — any in-flight request mid-swap must either complete on old cert or retry on new, never fail mid-call.

**Epic:** Federation v1 — see `docs/federation/PRD.md` and `docs/federation/MILESTONES.md`. ## Goal Grant lifecycle works end-to-end: admin revoke, revoke-on-delete, automatic cert renewal, CRL distribution. ## Scope - `mosaic federation grant revoke <id>` → status `revoked`, CRL updated, audit entry - DB hook: deleting a user cascades `revoke-on-delete` on all grants where that user is subject - Step-CA CRL endpoint exposed; serving gateway enforces CRL check on every handshake (cached CRL, 60s refresh) - Client-side cert renewal job: at T-7 days, submit renewal CSR; rotate cert atomically; flush cache - On renewal failure, peer marked `degraded` and admin-visible alert emitted - Server A detects revocation on next request (TLS handshake fails with specific error) → peer marked `revoked` ## Deliverables - `apps/gateway/src/federation/server/crl.service.ts` + endpoint - `apps/gateway/src/federation/server/revocation.service.ts` - DB cascade trigger or ORM hook for user deletion → grant revocation - `apps/gateway/src/federation/client/renewal.job.ts` (scheduled) - `packages/mosaic/src/commands/federation/grant.ts` gains `revoke` subcommand ## Acceptance Tests - [ ] Admin `grant revoke` → A's next request fails with TLS-level error - [ ] Deleting subject user on B auto-revokes all grants where that user was subject - [ ] CRL endpoint serves correct list; revoked cert present - [ ] Server rejects cert listed in CRL even if cert time-valid - [ ] Cert at T-7 days triggers renewal; new cert issued and installed without dropped requests - [ ] Renewal failure marks peer `degraded` and surfaces alert - [ ] A marks peer `revoked` after revocation-caused handshake failure, NOT on transient network errors ## Dependencies Blocked by **FED-M3**. Can run in parallel with **FED-M5**. ## Estimated budget ~20K tokens ## Risk notes Atomic cert swap during renewal is the sharpest edge — any in-flight request mid-swap must either complete on old cert or retry on new, never fail mid-call.

jason.woltje added this to the Federation v1 milestone 2026-04-19 22:02:14 +00:00

jason.woltje referenced this issue from a commit 2026-04-19 22:05:17 +00:00

docs(federation): PRD, milestones, mission manifest, and M1 task breakdown

jason.woltje referenced this issue 2026-04-19 22:05:31 +00:00

docs(federation): PRD, milestones, mission manifest, and M1 task breakdown #467

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/federation-m1-doctor

feat/federation-m1-migrate

feat/federation-m1-detector

feat/federation-m1-pgvector

feat/federation-m1-compose

feat/federation-m1-tier-config

docs/mvp-mission-manifest

docs/federation-planning

release/mosaic-v0.0.29

fix/installer-idempotent-creds

feat/framework-superpowers-enforcement

feat/install-ux-intent

feat/install-ux-polish

docs/iuv-m01-complete

fix/build-vitest-allowdefault

fix/bootstrap-hotfix

docs/install-ux-v2-scaffold

release/mosaic-v0.0.25

docs/iuh-mission-complete

feat/unified-first-run

docs/iuh-m02-complete

feat/wizard-remediation

feat/mosaic-macp-cli

fix/gateway-token-recovery-review

feat/mosaic-auth-cli

feat/mosaic-forge-cli-v2

feat/mosaic-storage-cli

feat/mosaic-memory-cli

feat/gateway-token-recovery

feat/mosaic-forge-cli

feat/mosaic-config-command

feat/mosaic-queue-cli

feat/mosaic-brain-cli

feat/mosaic-help-alphabetize

docs/gateway-token-recovery-plan

chore/bump-mosaic-0.0.21

fix/populate-known-packages-list

fix/publish-loud-errors

fix/gitea-org-rename

fix/gateway-install-ux

fix/rename-mosaic-scope-391

fix/db-memory-queue-publish-drift

fix/updater-wrapper-gitea-387

fix/config-package-version-drift

fix/updater-mosaic-package-382

fix/merge-cli-into-mosaic

fix/metapackage-cli-dep

chore/bump-cli-mosaic-0.0.16

fix/gateway-deprecation-warnings

fix/gateway-install-prefix-eacces

chore/gateway-default-port-14242

fix/gateway-scoped-registry

fix/gateway-install-registry

chore/bump-0.0.11

feat/gateway-local-tier

feat/task-1775219952-fix-add-build-tools-to-ci-install-step-for-better-sqlite3

fix/pnpm-build-scripts

fix/storage-sqlite-ci

feat/storage-abstraction

fix/idempotent-init

fed-v0.1.0-m1

mosaic-v0.0.29

mosaic-v0.0.28

mosaic-v0.0.27

mosaic-v0.0.26

mosaic-v0.0.25

mosaic-v0.0.24

v0.2.0

v0.1.0

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

Labels

No items

No Label

Milestone

No items

No Milestone Federation v1

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaicstack/stack#465