Files
stack/docs/architecture/lease-broker-security.md
jason.woltje abd2791f59
Some checks failed
ci/woodpecker/push/ci Pipeline failed
ci/woodpecker/push/publish Pipeline was successful
feat(mosaic): WI-2 mutator-class guard for directive-freshness (#837)
WI-2: mutator-class guard for the compaction directive-freshness mechanism — command-position parser (prefix x var-indirection unified) + primitive-anchored invariant backstop + all-tools-hook fail-close. Parser-complete on principle: realistic evasion matrix RED-regression-covered, residual exotic evasions proven backstop-caught (B-tests), lens-convergence reached.

closes #829
2026-07-18 05:51:58 +00:00

2.3 KiB

WI-1 lease broker security notes

  • Trusted identity comes only from Linux SO_PEERCRED plus /proc starttime, never request identity fields.
  • Descendant authorization is anchored to (pid,starttime) and uses a complete second starttime pass to fail closed on disappearance or PID-reuse races.
  • Runtime generations are monotonic per anchor; a bump revokes prior-incarnation tokens before persistence commits.
  • Session IDs and cycle tokens use the OS cryptographic RNG. Math.random and model output are not token sources.
  • Framing and persistence failures fail closed. Sensitive tokens are not logged.
  • Built-in 0700/0600 filesystem modes provide same-principal hardening only, not socket authenticity against the same UID. WI-1 provides no distinct-principal isolation. That stronger deployment requires an external protected proxy, ACL, or service boundary, and the boundary must preserve authenticated client identity for the broker's SO_PEERCRED and ancestry authorization rather than substituting a shared proxy identity.
  • WI-2 whole-class authorization denies every consequential, unknown, and custom tool while UNVERIFIED; it does not inspect shell strings or trust wrapper selection. First-class Claude/Pi, both Claudex dispatch modes, PRDY, QA remediation, coord, orchestrator, and fleet starts converge on broker register-before-exec; Claudex additionally installs the mandatory all-tools hook inside its preserved isolated config and fails closed on unsafe settings.
  • The permanent check-runtime-launches.py suite/CI guard scans production source for direct literal, absolute-path, process-API, command-array, and dynamic Claude/Pi launches. It has no bypass allowlist: an unrecognized launch form fails CI until routed through the common boundary.
  • WI-2 promotion consumes a WI-1 cycle token before VERIFIED becomes visible. Observer revocation, runtime-generation replacement, broker restart, and monotonic TTL expiry remove authority.
  • Receipt observation, payload construction, compaction observers, and constrained recovery implementation remain later surfaces. A receipt can become a promotion prerequisite but is never the safety mechanism.

Coordinator security review must rerun the real socket/peercred and mutator-gate acceptance suites on an unrestricted Linux runner and obtain the mandated independent Opus-SECREV review before integration.