fastapi-gsap

tking/fastapi-gsap

SHA256

Fork 0

Commit graph

Author	SHA256	Message	Date
Tyler J King	e744336385	fix: capability enforcement, credential safety, atomic delegations, input validation C-6: ConnectorRuntime enforces capability_mask per operation. READ-only ACs cannot invoke MUTATE operations (wipe, lock, retire). C-7: AC validated against database (exists, active, not expired) before connector invocation. C-9: Delegated AC capability bounded by delegator's capability. C-10: Command counter uses atomic SQL increment with limit check. M-23: expire_stale() uses same atomic SQL pattern. H-1: Sensitive credential fields hidden from repr/logs via repr=False. H-2: Stub backend requires ALLOW_STUB_CREDENTIALS=true to activate. H-3: Kerberos backend raises CredentialResolutionError instead of returning stub ticket. H-4: Chronicle INTENT emitted before execution, RESULT after. H-5: device_id validated as UUID before Graph API URL interpolation. H-8: ConnectorRuntime enforces governance for all connector invocations. Signed-off-by: Tyler King <tking@guildhouse.dev>	2026-04-14 08:13:27 -04:00
Tyler J King	24eefe1699	feat(credentials): add Entra and Stub credential backends Entra backend resolves OAuth tokens via MSAL client_credentials (OBO flow wired in future sprint) and passes ACs through for Bascule. Kerberos stubbed pending hybrid environment config. Stub backend for dev/testing without real IdP. Signed-off-by: Tyler King <tking@guildhouse.dev>	2026-04-14 05:57:52 -04:00
Tyler J King	043693652a	feat(credentials): add CredentialResolver and Credential types Zero-credential-storage architecture. The broker holds ACs (authorization). Pluggable CredentialBackend implementations hold secrets. Transports acquire short-lived, scoped credentials at invocation time and discard after use. Credential types: BasculeCredential, KerberosCredential, OAuthCredential, SSHCertCredential. Signed-off-by: Tyler King <tking@guildhouse.dev>	2026-04-14 05:57:00 -04:00

Author

SHA256

Message

Date

Tyler J King

e744336385

fix: capability enforcement, credential safety, atomic delegations, input validation

C-6: ConnectorRuntime enforces capability_mask per operation.
     READ-only ACs cannot invoke MUTATE operations (wipe, lock, retire).
C-7: AC validated against database (exists, active, not expired)
     before connector invocation.
C-9: Delegated AC capability bounded by delegator's capability.
C-10: Command counter uses atomic SQL increment with limit check.
M-23: expire_stale() uses same atomic SQL pattern.

H-1: Sensitive credential fields hidden from repr/logs via repr=False.
H-2: Stub backend requires ALLOW_STUB_CREDENTIALS=true to activate.
H-3: Kerberos backend raises CredentialResolutionError instead of
     returning stub ticket.
H-4: Chronicle INTENT emitted before execution, RESULT after.
H-5: device_id validated as UUID before Graph API URL interpolation.
H-8: ConnectorRuntime enforces governance for all connector invocations.

Signed-off-by: Tyler King <tking@guildhouse.dev>

2026-04-14 08:13:27 -04:00

Tyler J King

24eefe1699

feat(credentials): add Entra and Stub credential backends

Entra backend resolves OAuth tokens via MSAL client_credentials
(OBO flow wired in future sprint) and passes ACs through for
Bascule. Kerberos stubbed pending hybrid environment config.
Stub backend for dev/testing without real IdP.

Signed-off-by: Tyler King <tking@guildhouse.dev>

2026-04-14 05:57:52 -04:00

Tyler J King

043693652a

feat(credentials): add CredentialResolver and Credential types

Zero-credential-storage architecture. The broker holds ACs
(authorization). Pluggable CredentialBackend implementations
hold secrets. Transports acquire short-lived, scoped credentials
at invocation time and discard after use.

Credential types: BasculeCredential, KerberosCredential,
OAuthCredential, SSHCertCredential.

Signed-off-by: Tyler King <tking@guildhouse.dev>

2026-04-14 05:57:00 -04:00

3 commits