1.7 KiB
1.7 KiB
TESS-M1-SEC-001 — Command authorization and exact-action approval
- Issue/milestone: #707 / M1
- Branch:
fix/tess-command-authz - Requirement:
TESS-SEC-002, with approval binding controls fromTESS-SEC-007 - Scope:
apps/gatewayonly, plus required in-repo security/developer documentation.
Plan
- Locate the gateway command executor, command metadata, authorization context, and existing test conventions.
- Write abuse/authz tests before production changes. Expected red cases: non-admin blocked from admin/system command; forged caller scope cannot authorize; privileged/destructive action requires durable exact-action approval; expired/replayed/mutated approvals deny.
- Implement server-derived role/scope enforcement and durable approval validation/consumption with audit results.
- Run focused security tests, then repository baseline gates: typecheck, lint, format-check, test.
- Run independent security/code review, commit, queue-guard, push, and open the PR to
mainthrough the stated Gitea API fallback. Stop after PR creation.
Assumptions
- The existing gateway persistence interface is the available durable approval boundary. If no persistence abstraction exists, a minimal injectable repository interface will be introduced rather than an in-memory approval implementation, because TESS-SEC-002/007 require durable enforcement.
- “Exact action” is a canonical digest over structured command identity and normalized arguments; role/scope checks always use authenticated server context, not client-declared claims.
TDD evidence
- Pending: abuse/authz test written and observed red before implementation.
Verification evidence
- Pending.