fix(capsule): preserve device attenuation in dispatch#1240
Conversation
There was a problem hiding this comment.
Pull request overview
Updates capsule dispatch to carry the authenticated device scope into access resolution so dispatch decisions (candidate expansion, execution gating, and grant signalling) reflect the same attenuated authority enforced at the kernel boundary (Issue #1239 / RFC #36).
Changes:
- Thread
device_key_idthrough dispatcher matching and resolve a single immutable (principal/profile/groups/device-scope) access snapshot per stamped event. - Enforce fail-closed behavior for disabled/invalid/unknown/revoked identities before interceptor matching and before emitting
GrantRequired. - Add a dedicated regression suite covering device-scoped inventory vs execution authority and legacy no-resolver behavior.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| crates/astrid-capsule/src/dispatcher.rs | Carries device key id into matching, resolves per-event access snapshot, and updates candidate expansion + grant-on-use behavior. |
| crates/astrid-capsule/src/dispatcher_tests.rs | Updates existing tests to the new find_matching_interceptors signature. |
| crates/astrid-capsule/src/dispatcher_device_scope_tests.rs | Adds device-scope focused dispatch regression tests (inventory vs execution, invalid identities, legacy path). |
| crates/astrid-capsule/src/access.rs | Introduces ResolvedCapsuleAccess snapshot and device-scoped capability evaluation for capsule:list and capsule:access:any. |
| CHANGELOG.md | Documents the security behavior change under [Unreleased]. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
5b5cbcd to
b93409c
Compare
8a8b18c to
81db358
Compare
81db358 to
76e7291
Compare
b87dbf4 to
0d61c07
Compare
|
Reviewed exact head |
0d61c07 to
57ec313
Compare
Linked Issue
Closes #1239
Refs #1237 and astrid-runtime/rfcs#36.
Summary
Carries the authenticated device into capsule dispatch so execution and inventory use the same live authority already enforced at the kernel boundary. The change is generic to Astrid and introduces no product-specific role or trust path.
Changes
capsule:listonly for global describe visibilitycapsule:access:anyfor unrestricted execution and candidate expansionFullbehavior, and principal-less lifecycle dispatchGrantRequiredonly for a valid in-view denied matchself:auth:pairauthority for pair issuance while retaining the additionalself:auth:pair:admingate and elevated audit classification for Full, preset-Full, and explicit-universal scopesVerification
mainafter feat(cli): grant installed distro capsules to the target principal #1196, fix(kernel): preserve device attenuation across authority views #1238, and fix(kernel): fail closed at bootstrap authority boundaries #1257 merged57ec31340db1a1749d5f137a25f4352bb6cb401fcargo fmt --all -- --checkgit diff --check origin/main...HEADcargo test --locked -p astrid-capsule— 563 passedcargo test --locked -p astrid-kernel admin_cap_without_base_pair_capability_cannot_issue_full_token -- --nocapturecargo clippy --locked -p astrid-capsule -p astrid-kernel --all-features --tests -- -D warningsChecklist
[Unreleased]No release is created or published by this change.