Skip to content

Implement full ZTXP security flow, tests, and infrastructure fixes#5

Merged
cjb00 merged 3 commits into
mainfrom
claude/upbeat-kare
Feb 15, 2026
Merged

Implement full ZTXP security flow, tests, and infrastructure fixes#5
cjb00 merged 3 commits into
mainfrom
claude/upbeat-kare

Conversation

@cjb00

@cjb00 cjb00 commented Feb 15, 2026

Copy link
Copy Markdown
Owner

Summary

  • PEP Lambda: builds TAM from request context (identity, device, resource), signs with AWS KMS (ECDSA_SHA_256), calls Broker
  • Broker Lambda: verifies KMS signature, replay protection via 600s timestamp TTL, forwards TAM to OPA for policy decision — denies on any verification failure
  • Notes Lambda: full DynamoDB CRUD (list/get/create/update/delete) scoped to authenticated principalId from authorizer context
  • OPA policy: upgraded to rego.v1 syntax, added admin rule, device compliance check, risk score threshold; 13 Rego unit tests covering all allow/deny paths
  • Infrastructure: API Gateway $default stages, PDP ALB made internal, dedicated security groups (only ALB can reach OPA container), ECS IAM execution role with ECR + CloudWatch, KMS_KEY_ARN wired to Broker, WAF rate limiting + AWS managed common ruleset
  • CI: GitHub Actions workflow — Python tests, OPA tests, Terraform validate

Test plan

  • 35 Python unit tests pass (pytest ztxb-aws-lab/tests/ -v)
  • 13 OPA policy tests pass (opa test ztxb-aws-lab/app/pdp/policy/ -v)
  • terraform validate passes in ztxb-aws-lab/infra/
  • CI workflow runs green on this PR
  • Deploy to AWS and verify end-to-end flow: Cognito token → Notes API → PEP signs TAM → Broker verifies → OPA evaluates → DynamoDB CRUD

🤖 Generated with Claude Code

Cliff Bell and others added 3 commits February 13, 2026 23:42
@claude
Add CLAUDE.md with project context for Claude Code
fe934ce 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
Move CLAUDE.md to .gitignore as local-only file
1457d22 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
Implement full ZTXP security flow, tests, and infrastructure fixes
308574d 
- PEP Lambda: build TAM from request context, sign with KMS (ECDSA_SHA_256),
  call Broker; extract JWT sub claim for principal identity
- Broker Lambda: verify KMS signature, replay protection via timestamp TTL,
  forward to OPA PDP; deny on any verification failure
- Notes Lambda: full DynamoDB CRUD (list/get/create/update/delete),
  scoped to authenticated principal from authorizer context
- OPA policy: updated to rego.v1 syntax, added admin rule, device
  compliance check, risk score threshold (< 70 for writes)
- OPA tests: 13 Rego unit tests covering all allow/deny paths
- Python tests: 35 unit tests (all passing) for all three handlers
- Terraform: API Gateway $default stages (both APIs), PDP ALB made
  internal, dedicated security groups for ALB and ECS task,
  IAM execution role for ECS with ECR pull permissions,
  CloudWatch log config for OPA container, KMS_KEY_ARN wired to broker,
  WAF with rate limiting + AWS managed common rule set
- CI: GitHub Actions workflow (Python tests, OPA tests, Terraform validate)
- Dockerfile: load full policy directory instead of single file

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@cjb00 cjb00 merged commit 9770175 into main Feb 15, 2026
2 of 3 checks passed
@cjb00 cjb00 deleted the claude/upbeat-kare branch February 15, 2026 02:49
@cjb00 cjb00 mentioned this pull request Feb 15, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cjb00