fix(gateway): enforce live audit authority#1242
Conversation
There was a problem hiding this comment.
Pull request overview
This PR tightens gateway audit visibility by replacing gateway-side inference of audit:read_all with a live, kernel-owned principal/device/capability evaluator. It unifies historical audit queries and SSE streaming under the same runtime policy, ensuring device revocation and scope narrowing take effect immediately without reconnecting.
Changes:
- Add a borrowed
CapabilityCheck::new_borrowedconstructor and use it to implement a booleanKernel::runtime_capability_allowsevaluator. - Inject a gateway-private
CapabilityProbevia request extensions; historical audit pagination and live SSE streams re-checkaudit:read_allthrough the probe. - Add targeted kernel, gateway, and integration coverage to ensure revocation/narrowing preserves self-visibility while suppressing cross-principal access.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| crates/astrid-kernel/src/runtime_policy_tests.rs | Adds focused regression tests for principal/device capability evaluation semantics. |
| crates/astrid-kernel/src/lib.rs | Exposes a doc-hidden, boolean runtime capability evaluator used by the gateway/daemon. |
| crates/astrid-integration-tests/tests/gateway_e2e.rs | Extends E2E coverage to validate live SSE narrowing after device revocation. |
| crates/astrid-gateway/src/routes/mod.rs | Introduces router builder wiring to inject a capability probe via Extension. |
| crates/astrid-gateway/src/routes/events.rs | Implements probe-backed audit:read_all evaluation and per-event re-evaluation for SSE. |
| crates/astrid-gateway/src/routes/audit.rs | Applies probe-backed, post-read authority at query boundary and during record filtering. |
| crates/astrid-gateway/src/lib.rs | Adds run_with_capability_probe* entrypoints and threads the probe into router construction. |
| crates/astrid-daemon/src/lib.rs | Wires the gateway probe to the kernel’s live evaluator in the daemon runtime. |
| crates/astrid-capabilities/src/policy.rs | Adds a borrowed constructor to avoid cloning principals for boolean-only checks. |
| CHANGELOG.md | Documents the security-relevant change to audit authority evaluation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
5b5cbcd to
b93409c
Compare
30b506b to
9b6a0d2
Compare
f615605 to
4b1d30b
Compare
|
Addressed a historical audit cursor hole in |
6d600f6 to
05842ae
Compare
|
Addressed in |
d5ab282 to
8f168b4
Compare
|
Addressed in |
5b932af to
edde792
Compare
ea12413 to
b477f65
Compare
|
Addressed in Direct router embedders can now use |
|
Addressed in Documented that embedded routers built with |
8db2484 to
0a38bfe
Compare
|
Addressed in Embedded routers built with |
|
Addressed in I added a changelog migration note clarifying that co-located callers must use Re-verified with |
f994546 to
bf3eb25
Compare
Linked Issue
Closes #1241
Refs #1237 and astrid-runtime/rfcs#36.
Summary
Replaces gateway-side audit authority inference with the kernel's live principal/device capability evaluator. Historical and streaming audit views now narrow through the same runtime policy, with no AOS-specific role, key exposure or caller-selected identity.
Changes
CapabilityCheckconstructor while preserving the existing constructor and owned errorsaudit:read_allfor every live SSE eventaudit:read_allenforcement constant and require it to resolve through capability-registry revision 1mainVerification
bf3eb251164f1c20e47fb9f3e841677d9efecc02d85fb10663c21d08fc43d39d939cfbb5a023cafdhave good Joshua committer signaturescargo fmt --all -- --checkgit diff --checkcargo doc -p astrid-gateway --no-depscargo test -p astrid-gateway— 160 unit, 7 CORS, 10 models and 18 router tests passcargo test -p astrid-kernel runtime_policy_tests— 8 tests passcargo clippy -p astrid-gateway -p astrid-kernel --all-targets -- -D warnings-cargo clippy -p astrid --all-targets -- -D warningsCompatibility
The public HTTP shape, WIT contracts, persisted authority, gateway state and existing runner entrypoints remain unchanged. The new kernel evaluator is boolean and doc-hidden. The internal typed gateway probe remains private; trusted in-process embedders receive an additive generic callback builder with the same fail-closed policy boundary.
When #1244 is refreshed after this PR, its workspace-aware gateway runner must retain this live capability probe across normal, TLS and pre-bound listener paths.
Checklist
CHANGELOG.mdupdated under[Unreleased]