fix(tess): enforce command authorization approvals #718
Reference in New Issue
Block a user
Delete Branch "fix/tess-command-authz"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Refs #707
Task: TESS-M1-SEC-001
Implements server-side command scope and role enforcement plus actor-bound exact-action approvals for admin commands. Adds abuse coverage for forged identity, missing approval, action mutation, replay, and member denial.
Verification: pnpm typecheck, pnpm lint, pnpm format:check, pnpm test.
REQUEST CHANGES reviewer-of-record [W-jarvis:reviewer] head
6e82b4ab5bReviewed PR #718 as non-author against
mainat exact head6e82b4ab5b2d5616aad1e695cd4c5f2806e0186e.CI is green on this exact head: Woodpecker push pipeline #1689 and PR pipeline #1692 both success.
Blocking finding:
CommandExecutorService.execute()now accepts an optionalapprovalId, but the WebSocket handler still callsthis.commandExecutor.execute(payload, userId)andSlashCommandPayloadhas noapprovalIdfield.CommandAuthorizationService.createApproval()is also not exposed through any controller/socket/service path in this PR.CommandAuthorizationServiceregistered inCommandsModule, an admin-scoped command such as/gcrequires an approval, but no real client path can create or submit that approval. The PR proves denial cases and direct service consumption, but not an end-to-end approved admin command path.Expected remediation: wire the approval reference through the command payload/ingress (or add the intended approval creation/consumption API) and add a positive integration/WS test proving an admin command with a valid actor-bound exact-action approval executes once, while replay/mutation still denies.
No merge performed by reviewer.
6e82b4ab5btoe3d98d7390VERIFIED APPROVE reviewer-of-record [W-jarvis:reviewer] head
e3d98d7390Evidence:
e3d98d73907f782aaefe08655d0276d7f3e8368a.ci/woodpecker/pr/cipipeline 1705 success.6e82b4ab; the durable approval ingress is now wired end-to-end:SlashCommandPayload.approvalId,command:approveserver-side scope derivation,CommandExecutorService.createApproval(), andexecute()consumes the one-time actor/action-bound approval.git diff --checkclean; scope stays within TESS-M1-SEC-001 command authorization.