fix(kernel): fail closed at bootstrap authority boundaries#1257
Conversation
There was a problem hiding this comment.
Pull request overview
This PR tightens Astrid’s security posture at kernel bootstrap and management authority boundaries by eliminating fail-open fallbacks to the default bootstrap administrator and by pinning/propagating authorization inputs (principal, groups, profile, and device scope) at a single decision point per request.
Changes:
- Reject kernel/admin management IPC requests that lack a valid authenticated principal (no fallback to
default). - Abort kernel construction when bootstrap profile/key seeding or legacy profile migration fails (fail-closed boot).
- Extend/pin device-scope attenuation across inventory surfaces and pairing issuance, and harden profile-cache invalidation against stale republish races.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| crates/astrid-kernel/src/lib.rs | Fail-closed bootstrap: propagate default profile/key/migration failures; add injected-resource boot regressions. |
| crates/astrid-kernel/src/kernel_router/mod.rs | Reject missing/invalid principals at the kernel router boundary; introduce pinned AuthorizedRequest; centralize device-scope resolution. |
| crates/astrid-kernel/src/kernel_router/device_scope.rs | New shared helper to resolve device-scope attenuation with outwardly uniform denials. |
| crates/astrid-kernel/src/kernel_router/tests.rs | Update caller resolution tests; add deterministic denial regression; expand device-scope snapshot/opacity coverage. |
| crates/astrid-kernel/src/kernel_router/connection_tracker_tests.rs | Ensure principal-less lifecycle events map to anonymous and malformed identities are ignored. |
| crates/astrid-kernel/src/kernel_router/admin/mod.rs | Reject missing/invalid principals at admin router boundary; route dispatch through pinned authorization snapshot. |
| crates/astrid-kernel/src/kernel_router/admin/handlers.rs | Thread pinned authorization through read paths; enforce default retains built-in admin group after AgentModify. |
| crates/astrid-kernel/src/kernel_router/admin/group.rs | Apply device-scope attenuation and/or pinned authorization snapshot to group listing visibility. |
| crates/astrid-kernel/src/kernel_router/admin/state_tests*.rs | Add/extend regressions ensuring device attenuation and snapshot pinning across admin inventory. |
| crates/astrid-kernel/src/kernel_router/admin/pair_device_handlers.rs | Harden pairing issuance against missing/invalid/revoked device IDs; require pair-admin for universal * scoped mints; accept pinned snapshot dispatch. |
| crates/astrid-kernel/src/kernel_router/admin/pair_device_tests.rs | Expand end-to-end pairing acceptance coverage for missing/revoked devices and universal-scope gating. |
| crates/astrid-kernel/src/kernel_router/admin/enforcement_tests.rs | Add deterministic denial regression for missing/invalid admin principals. |
| crates/astrid-capsule/src/profile_cache.rs | Add per-principal invalidation generations to prevent stale load publication under concurrent invalidation. |
| CHANGELOG.md | Document fail-closed bootstrap/authority boundary changes and device-attenuation/snapshot hardening under Security. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Reviewed
All completed CI gates are green; the remaining queued gates (Test, MSRV, Security Audit, etc.) are the execution gate per the PR description. |
94b1690 to
8a250f7
Compare
## Linked Issue Closes #1239 Refs #1237 and astrid-runtime/rfcs#36. ## Summary Carries the authenticated device into capsule dispatch so execution and inventory use the same live authority already enforced at the kernel boundary. The change is generic to Astrid and introduces no product-specific role or trust path. ## Changes - resolve one principal/profile/group/device snapshot per stamped event - reject disabled, malformed, unknown, and revoked identities before matching or grant signalling - use device-effective `capsule:list` only for global describe visibility - activate exact device-effective `capsule:access:any` for unrestricted execution and candidate expansion - preserve exact per-principal capsule grants, no-device/`Full` behavior, and principal-less lifecycle dispatch - emit one `GrantRequired` only for a valid in-view denied match - preserve legacy dispatch when no access resolver is installed - preserve merged authority-cache refresh, pairing preflight, audit classification, and caller-boundary audit behavior - require base `self:auth:pair` authority for pair issuance while retaining the additional `self:auth:pair:admin` gate and elevated audit classification for Full, preset-Full, and explicit-universal scopes - add a dedicated device-scope dispatch regression suite ## Verification - restacked onto `main` after #1196, #1238, and #1257 merged - signed head: `57ec31340db1a1749d5f137a25f4352bb6cb401f` - `cargo fmt --all -- --check` - `git diff --check origin/main...HEAD` - `cargo test --locked -p astrid-capsule` — 563 passed - `cargo test --locked -p astrid-kernel admin_cap_without_base_pair_capability_cannot_issue_full_token -- --nocapture` - `cargo clippy --locked -p astrid-capsule -p astrid-kernel --all-features --tests -- -D warnings` - replacement GitHub CI is the complete integration and execution gate ## Checklist - [x] Linked to an issue - [x] CHANGELOG.md updated under `[Unreleased]` No release is created or published by this change.
Linked Issue
Closes #1256
Summary
Closes the remaining first-release bootstrap authority fallbacks without activating the deferred RFC #36 persistence model or adding any product-specific privilege path.
Changes
defaultadministratoranonymousbefore returning the uniform denialanonymousand ignore malformed identitiesAgentModifyresults that removedefaultfrom the built-inadmingroup while preserving idempotent remove-plus-addVerification
mainafter feat(cli): grant installed distro capsules to the target principal #1196 and fix(kernel): preserve device attenuation across authority views #1238 merged916238ae54db4e1ea7409a4a82432cc5fe8603a4cargo fmt --all -- --checkgit diff --check origin/main...HEADcargo test --locked -p astrid-kernel admin_router_denies_missing_and_invalid_principals_deterministically -- --nocapturecargo clippy --locked -p astrid-kernel --all-features --tests -- -D warningsChecklist
[Unreleased]No release is created or published by this change.