Files
stack/docs/architecture/lease-broker-security.md
jason.woltje 8ec67a1126
All checks were successful
ci/woodpecker/push/publish Pipeline was successful
ci/woodpecker/push/ci Pipeline was successful
feat(mosaic): add authenticated external lease broker (#836)
2026-07-18 03:12:23 +00:00

1.4 KiB

WI-1 lease broker security notes

  • Trusted identity comes only from Linux SO_PEERCRED plus /proc starttime, never request identity fields.
  • Descendant authorization is anchored to (pid,starttime) and uses a complete second starttime pass to fail closed on disappearance or PID-reuse races.
  • Runtime generations are monotonic per anchor; a bump revokes prior-incarnation tokens before persistence commits.
  • Session IDs and cycle tokens use the OS cryptographic RNG. Math.random and model output are not token sources.
  • Framing and persistence failures fail closed. Sensitive tokens are not logged.
  • Built-in 0700/0600 filesystem modes provide same-principal hardening only, not socket authenticity against the same UID. WI-1 provides no distinct-principal isolation. That stronger deployment requires an external protected proxy, ACL, or service boundary, and the boundary must preserve authenticated client identity for the broker's SO_PEERCRED and ancestry authorization rather than substituting a shared proxy identity.
  • WI-2+ security surfaces—receipts, promotion transactions, mutator gates, hooks, payload construction, and recovery—are explicitly out of scope.

Coordinator security review must rerun the real socket/peercred acceptance suite on an unrestricted Linux runner and obtain the mandated independent Opus-SECREV review before integration.