Prune consumed and revoked tokens, cap pending token state, reject oversized serialization before replacement, and roll back in-memory mutations when persistence fails.\n\ncloses #828
1.4 KiB
1.4 KiB
WI-1 lease broker security notes
- Trusted identity comes only from Linux
SO_PEERCREDplus/procstarttime, never request identity fields. - Descendant authorization is anchored to
(pid,starttime)and uses a complete second starttime pass to fail closed on disappearance or PID-reuse races. - Runtime generations are monotonic per anchor; a bump revokes prior-incarnation tokens before persistence commits.
- Session IDs and cycle tokens use the OS cryptographic RNG.
Math.randomand model output are not token sources. - Framing and persistence failures fail closed. Sensitive tokens are not logged.
- Built-in
0700/0600filesystem modes provide same-principal hardening only, not socket authenticity against the same UID. WI-1 provides no distinct-principal isolation. That stronger deployment requires an external protected proxy, ACL, or service boundary, and the boundary must preserve authenticated client identity for the broker'sSO_PEERCREDand ancestry authorization rather than substituting a shared proxy identity. - WI-2+ security surfaces—receipts, promotion transactions, mutator gates, hooks, payload construction, and recovery—are explicitly out of scope.
Coordinator security review must rerun the real socket/peercred acceptance suite on an unrestricted Linux runner and obtain the mandated independent Opus-SECREV review before integration.