address code review

rcholic · rcholic · commit 70992d58711f · 2026-02-17T18:27:06.000-08:00
diff --git a/docs/authorityd-operations.md b/docs/authorityd-operations.md
@@ -63,6 +63,24 @@ PYTHONPATH=. predicate-authorityd \
   --control-plane-fail-open
 ```
 
+### Signing key safety note (required until mandate `v2` claims)
+
+Until mandate `v2` introduces explicit `iss`/`aud` claims and asymmetric signing defaults,
+each deployment instance must use a unique signing key to reduce cross-instance replay risk.
+
+Recommended startup pattern:
+
+```bash
+export PREDICATE_AUTHORITY_SIGNING_KEY="<unique-random-per-instance>"
+
+PYTHONPATH=. predicate-authorityd \
+  --host 127.0.0.1 \
+  --port 8787 \
+  --mode local_only \
+  --policy-file examples/authorityd/policy.json \
+  --mandate-signing-key-env PREDICATE_AUTHORITY_SIGNING_KEY
+```
+
 When enabled, daemon bootstrap auto-attaches `ControlPlaneTraceEmitter` so each
 authority decision pushes:
 
diff --git a/predicate_authority/bridge.py b/predicate_authority/bridge.py
@@ -112,7 +112,10 @@ def refresh_token(
 
 
 class EntraIdentityBridge(OIDCIdentityBridge):
-    """Microsoft Entra adapter built on generic OIDC behavior."""
+    """Microsoft Entra adapter built on generic OIDC behavior.
+
+    Phase 2 keeps this as a deterministic local stand-in for real IdP token exchange.
+    """
 
     def __init__(self, config: EntraBridgeConfig) -> None:
         oidc_config = OIDCBridgeConfig(
diff --git a/predicate_authority/control_plane.py b/predicate_authority/control_plane.py
@@ -183,7 +183,8 @@ def _send_audit_event(self, audit_event: AuditEventEnvelope) -> None:
         except Exception as exc:
             self.audit_push_failure_count += 1
             self.last_push_error = str(exc)
-            raise
+            if not self.client.config.fail_open:
+                raise
 
     def _send_usage_record(self, usage: UsageCreditRecord) -> None:
         try:
@@ -197,4 +198,5 @@ def _send_usage_record(self, usage: UsageCreditRecord) -> None:
         except Exception as exc:
             self.usage_push_failure_count += 1
             self.last_push_error = str(exc)
-            raise
+            if not self.client.config.fail_open:
+                raise
diff --git a/predicate_authority/telemetry.py b/predicate_authority/telemetry.py
@@ -3,7 +3,7 @@
 from contextlib import AbstractContextManager
 from typing import Protocol, cast
 
-from predicate_contracts import ProofEvent, TraceEmitter
+from predicate_contracts import ProofEvent
 
 
 class SpanLike(Protocol):
@@ -14,7 +14,7 @@ class TracerLike(Protocol):
     def start_as_current_span(self, name: str) -> AbstractContextManager[SpanLike]: ...
 
 
-class OpenTelemetryTraceEmitter(TraceEmitter):
+class OpenTelemetryTraceEmitter:
     """TraceEmitter backed by OpenTelemetry spans/events."""
 
     def __init__(self, tracer: TracerLike | None = None) -> None:
