Problem
Primary kernel request checks apply the authenticating device scope, but several secondary authority decisions rebuild principal authority without that device context. A scoped device can therefore receive a broader capsule, principal, or group view than its effective authority permits. A scoped pair request with bare allow = ["*"] is also equivalent to unattenuated authority and must use the full-scope privilege gate.
Scope
- use one typed device-scope resolver for primary and secondary checks
- apply device attenuation to capsule inventory visibility
- apply device attenuation to global principal and group visibility
- require effective
self:auth:pair:admin for a scoped pair request containing bare *
- preserve the
self:* use-only preset
- deny malformed, unknown, or revoked device IDs
- preserve current no-device and
Full behavior
Non-goals
- no public API, WIT, HTTP, IPC, or serialized wire change
- no product-specific identity or trust path
- no capability-registry activation or persisted-policy migration
- capsule dispatcher and gateway audit-probe changes remain separately scoped
Acceptance criteria
- an attenuated admin device cannot gain global capsule, principal, or group visibility unless its scope admits the exact global capability
- a scoped pair request with bare
* cannot bypass the pair-admin requirement
- an issuer's own device denies constrain every child scope
- focused kernel regressions cover no-device, Full, scoped, malformed, unknown, and revoked device cases
- formatting, kernel tests, clippy, and repository CI pass
Tracks #1228 and astrid-runtime/rfcs#36.
Problem
Primary kernel request checks apply the authenticating device scope, but several secondary authority decisions rebuild principal authority without that device context. A scoped device can therefore receive a broader capsule, principal, or group view than its effective authority permits. A scoped pair request with bare
allow = ["*"]is also equivalent to unattenuated authority and must use the full-scope privilege gate.Scope
self:auth:pair:adminfor a scoped pair request containing bare*self:*use-only presetFullbehaviorNon-goals
Acceptance criteria
*cannot bypass the pair-admin requirementTracks #1228 and astrid-runtime/rfcs#36.