Skip to content

fix(daemon): require consumer auth for sensitive gRPC RPCs (H8/H10)#76

Merged
sudhirverma merged 2 commits into
mainfrom
AAP-82832
Jul 17, 2026
Merged

fix(daemon): require consumer auth for sensitive gRPC RPCs (H8/H10)#76
sudhirverma merged 2 commits into
mainfrom
AAP-82832

Conversation

@sudhirverma

@sudhirverma sudhirverma commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Close H8/H10: non-loopback gRPC binds fail closed without consumers (unless --allow-open-auth / --insecure).
  • When consumers is configured, gate sensitive RPCs with x-abbenay-token + capabilities (secrets, config, providers, shutdown, chat, mcp_register, inline_policy).
  • Compare tokens with crypto.timingSafeEqual.
  • Document as DR-037 (main already has DR-036 Zod validation from fix(daemon): validate HTTP API bodies and config write paths (H4/H5) #75).

Changes

Area What
consumer-auth.ts Fail-closed bind check, capability authorization, timing-safe token match
abbenay-service.ts Wire gates on secrets/config/providers/shutdown/chat/MCP; SummarizeSession requires chat
daemon.ts / index.ts Assert consumers before TCP bind; open-auth warning only when consumers empty
Docs DR-037 + CONFIGURATION / CONTAINER / DEVELOPMENT / TESTING
Tests Unit capability matrix + integration gating + bind E2E

Test plan

  • Rebased onto main (post-fix(daemon): validate HTTP API bodies and config write paths (H4/H5) #75); DR-037 (not 032/036 collision)
  • Unit: consumer-auth.test.ts — timing-safe tokens, fail-closed bind, capability matrix
  • Integration: deny/allow secrets/config/providers/shutdown; SummarizeSession requires chat
  • E2E: non-loopback without consumers refuses; open-auth escape hatch
  • CI green on tip

Fix: https://redhat.atlassian.net/browse/AAP-82832

Fail closed on non-loopback binds without consumers, gate secrets/config/
providers/shutdown/chat/MCP with capabilities, and compare tokens with
crypto.timingSafeEqual. Document the model (DR-036) and add unit/E2E coverage.
Rebase onto main kept Zod as DR-036. Consumer auth is DR-037. Require
chat capability for SummarizeSession, and only warn about open auth when
consumers are actually empty.
@cidrblock

Copy link
Copy Markdown
Collaborator

Maintainer bring-up on 0380f5f (no follow-up issues — fixed here):

  • Rebased onto main (was CONFLICTING after fix(daemon): validate HTTP API bodies and config write paths (H4/H5) #75)
  • Renumbered consumer auth to DR-037 (Zod stays DR-036)
  • Gate SummarizeSession with chat (LLM / key burn bypass)
  • Open-auth warning only when consumers are actually empty
  • Expanded PR description; CONFIGURATION capability table includes SummarizeSession

Waiting on CI, then approve if green.

@cidrblock cidrblock left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verdict: merge-ready

H8/H10 consumer auth looks solid: fail-closed non-loopback bind, capability gates, timing-safe tokens.

Maintainer tip 0380f5f rebased onto main, renumbered to DR-037, gates SummarizeSession with chat, and fixes the open-auth warning. CI green. Approving.

@sudhirverma
sudhirverma merged commit 9a72d68 into main Jul 17, 2026
6 checks passed
@sudhirverma
sudhirverma deleted the AAP-82832 branch July 17, 2026 19:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants