FED-M7: multi-user RBAC hardening + acceptance suite #466

New Issue

Open

opened 2026-04-19 22:02:17 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-04-19 22:02:17 +00:00

Owner

Copy Link

Epic: Federation v1 — see docs/federation/PRD.md and docs/federation/MILESTONES.md.

Goal

Full multi-tenant scenario from PRD §4 works end-to-end with no cross-user leakage under any circumstance.

Scope

• Three-user scenario on Server B (E1, E2, E3), each with their own Server A
• Team-scoped grants: each employee's team-data visible on their own A; E1's personal data never visible on E2's A
• User-facing UI on both gateways: peer list, grant list, audit log viewer, scope editor
• Negative-path test matrix (every denial path from PRD §8)
• All PRD §15 acceptance criteria mapped to automated tests
• Security review: cert-spoofing, scope-bypass, audit-bypass paths explicitly tested
• Cold-storage rollover for audit log >90 days
• Docs: runbook, onboarding guide, troubleshooting guide

Deliverables

• Full acceptance suite in tools/federation-harness/acceptance/
• apps/web surfaces for peer/grant/audit management
• docs/federation/RUNBOOK.md, ONBOARDING.md, TROUBLESHOOTING.md
• Audit cold-tier job (daily cron)

Acceptance Tests

All PRD §15 criteria automated and green. Plus:

• 3-employee scenario: each A sees only its user's data from B
• Team-scoped grant returns team data; same grant denied access to another employee's personal data
• Concurrent sessions from E1's and E2's Server A to B interleave without leakage
• Audit log across 3-user test shows per-grant trails with no mis-attributed rows
• Scope editor UI round-trip: edit → save → next request uses new scope
• Attempt to use revoked grant's cert against different grant's endpoint: rejected
• 90-day-old audit rows moved to cold tier; queryable via explicit historical query
• Runbook steps validated: operator (not author) can onboard, rotate, revoke

Dependencies

Blocked by FED-M4, FED-M5, FED-M6.

Estimated budget

~25K tokens

Risk notes

Security-critical milestone. Budget review time is non-negotiable — plan for two independent code reviews (internal + security-focused) before merge.

**Epic:** Federation v1 — see `docs/federation/PRD.md` and `docs/federation/MILESTONES.md`. ## Goal Full multi-tenant scenario from PRD §4 works end-to-end with no cross-user leakage under any circumstance. ## Scope - Three-user scenario on Server B (E1, E2, E3), each with their own Server A - Team-scoped grants: each employee's team-data visible on their own A; E1's personal data never visible on E2's A - User-facing UI on both gateways: peer list, grant list, audit log viewer, scope editor - Negative-path test matrix (every denial path from PRD §8) - All PRD §15 acceptance criteria mapped to automated tests - Security review: cert-spoofing, scope-bypass, audit-bypass paths explicitly tested - Cold-storage rollover for audit log >90 days - Docs: runbook, onboarding guide, troubleshooting guide ## Deliverables - Full acceptance suite in `tools/federation-harness/acceptance/` - `apps/web` surfaces for peer/grant/audit management - `docs/federation/RUNBOOK.md`, `ONBOARDING.md`, `TROUBLESHOOTING.md` - Audit cold-tier job (daily cron) ## Acceptance Tests All PRD §15 criteria automated and green. Plus: - [ ] 3-employee scenario: each A sees only its user's data from B - [ ] Team-scoped grant returns team data; same grant denied access to another employee's personal data - [ ] Concurrent sessions from E1's and E2's Server A to B interleave without leakage - [ ] Audit log across 3-user test shows per-grant trails with no mis-attributed rows - [ ] Scope editor UI round-trip: edit → save → next request uses new scope - [ ] Attempt to use revoked grant's cert against different grant's endpoint: rejected - [ ] 90-day-old audit rows moved to cold tier; queryable via explicit historical query - [ ] Runbook steps validated: operator (not author) can onboard, rotate, revoke ## Dependencies Blocked by **FED-M4**, **FED-M5**, **FED-M6**. ## Estimated budget ~25K tokens ## Risk notes Security-critical milestone. Budget review time is non-negotiable — plan for two independent code reviews (internal + security-focused) before merge.

jason.woltje added this to the Federation v1 milestone 2026-04-19 22:02:17 +00:00

jason.woltje referenced this issue from a commit 2026-04-19 22:05:17 +00:00

docs(federation): PRD, milestones, mission manifest, and M1 task breakdown

jason.woltje referenced this issue 2026-04-19 22:05:31 +00:00

docs(federation): PRD, milestones, mission manifest, and M1 task breakdown #467

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/federation-m1-doctor

feat/federation-m1-migrate

feat/federation-m1-detector

feat/federation-m1-pgvector

feat/federation-m1-compose

feat/federation-m1-tier-config

docs/mvp-mission-manifest

docs/federation-planning

release/mosaic-v0.0.29

fix/installer-idempotent-creds

feat/framework-superpowers-enforcement

feat/install-ux-intent

feat/install-ux-polish

docs/iuv-m01-complete

fix/build-vitest-allowdefault

fix/bootstrap-hotfix

docs/install-ux-v2-scaffold

release/mosaic-v0.0.25

docs/iuh-mission-complete

feat/unified-first-run

docs/iuh-m02-complete

feat/wizard-remediation

feat/mosaic-macp-cli

fix/gateway-token-recovery-review

feat/mosaic-auth-cli

feat/mosaic-forge-cli-v2

feat/mosaic-storage-cli

feat/mosaic-memory-cli

feat/gateway-token-recovery

feat/mosaic-forge-cli

feat/mosaic-config-command

feat/mosaic-queue-cli

feat/mosaic-brain-cli

feat/mosaic-help-alphabetize

docs/gateway-token-recovery-plan

chore/bump-mosaic-0.0.21

fix/populate-known-packages-list

fix/publish-loud-errors

fix/gitea-org-rename

fix/gateway-install-ux

fix/rename-mosaic-scope-391

fix/db-memory-queue-publish-drift

fix/updater-wrapper-gitea-387

fix/config-package-version-drift

fix/updater-mosaic-package-382

fix/merge-cli-into-mosaic

fix/metapackage-cli-dep

chore/bump-cli-mosaic-0.0.16

fix/gateway-deprecation-warnings

fix/gateway-install-prefix-eacces

chore/gateway-default-port-14242

fix/gateway-scoped-registry

fix/gateway-install-registry

chore/bump-0.0.11

feat/gateway-local-tier

feat/task-1775219952-fix-add-build-tools-to-ci-install-step-for-better-sqlite3

fix/pnpm-build-scripts

fix/storage-sqlite-ci

feat/storage-abstraction

fix/idempotent-init

fed-v0.1.0-m1

mosaic-v0.0.29

mosaic-v0.0.28

mosaic-v0.0.27

mosaic-v0.0.26

mosaic-v0.0.25

mosaic-v0.0.24

v0.2.0

v0.1.0

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

Labels

No items

No Label

Milestone

No items

No Milestone Federation v1

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaicstack/stack#466