e744336385
C-6: ConnectorRuntime enforces capability_mask per operation.
READ-only ACs cannot invoke MUTATE operations (wipe, lock, retire).
C-7: AC validated against database (exists, active, not expired)
before connector invocation.
C-9: Delegated AC capability bounded by delegator's capability.
C-10: Command counter uses atomic SQL increment with limit check.
M-23: expire_stale() uses same atomic SQL pattern.
H-1: Sensitive credential fields hidden from repr/logs via repr=False.
H-2: Stub backend requires ALLOW_STUB_CREDENTIALS=true to activate.
H-3: Kerberos backend raises CredentialResolutionError instead of
returning stub ticket.
H-4: Chronicle INTENT emitted before execution, RESULT after.
H-5: device_id validated as UUID before Graph API URL interpolation.
H-8: ConnectorRuntime enforces governance for all connector invocations.
Signed-off-by: Tyler King <tking@guildhouse.dev>
16 lines
686 B
Python
16 lines
686 B
Python
# This file must be kept very simple, because it is consumed from several
|
|
# places -- it is imported by h11/__init__.py, execfile'd by setup.py, etc.
|
|
|
|
# We use a simple scheme:
|
|
# 1.0.0 -> 1.0.0+dev -> 1.1.0 -> 1.1.0+dev
|
|
# where the +dev versions are never released into the wild, they're just what
|
|
# we stick into the VCS in between releases.
|
|
#
|
|
# This is compatible with PEP 440:
|
|
# http://legacy.python.org/dev/peps/pep-0440/
|
|
# via the use of the "local suffix" "+dev", which is disallowed on index
|
|
# servers and causes 1.0.0+dev to sort after plain 1.0.0, which is what we
|
|
# want. (Contrast with the special suffix 1.0.0.dev, which sorts *before*
|
|
# 1.0.0.)
|
|
|
|
__version__ = "0.16.0"
|