e53a282fbe
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
- Introduced `NativeTestBase` class for ELF, PE, and Mach-O binary parsing helpers and assertions. - Created `TestCryptoFactory` for SM2 cryptographic provider setup and key generation. - Implemented `Sm2SigningTests` to validate signing functionality with environment gate checks. - Developed console export service and store with comprehensive unit tests for export status management.
2.0 KiB
2.0 KiB
Authority Routing Decision
Decision ID: DECISION-AUTH-001 Status: DEFAULT-APPROVED Effective Date: 2025-12-06 48h Window Started: 2025-12-06T00:00:00Z
Decision
Authority claim routing uses RBAC-standard routing patterns aligned with existing docs/security/scopes-and-roles.md.
Rationale
- RBAC patterns are well-established and auditable
- Consistent with Authority module implementation
- Supports multi-tenancy requirements
- Compatible with external IdP integration (OIDC, SAML)
Routing Matrix
| Claim | Source | Routing | Scope |
|---|---|---|---|
tenant_id |
Token/Session | Per-request | All endpoints |
project_id |
Token/Header | Per-request | Project-scoped |
user_id |
Token | Per-request | User-scoped |
role |
Token claims | Authorization | Role-based access |
scope |
Token claims | Authorization | Fine-grained access |
Claim Priority
When claims conflict:
- Explicit header overrides token claim (if authorized)
- Token claim is authoritative for identity
- Session context provides defaults
Implementation Pattern
// Authority claim resolution
public class ClaimResolver : IClaimResolver
{
public AuthorityContext Resolve(HttpContext context)
{
var tenantId = context.Request.Headers["X-Tenant-Id"]
?? context.User.FindFirst("tenant_id")?.Value;
var projectId = context.Request.Headers["X-Project-Id"]
?? context.User.FindFirst("project_id")?.Value;
return new AuthorityContext(tenantId, projectId);
}
}
Impact
- Tasks unblocked: ~5
- Sprint files affected: SPRINT_0303
Reversibility
To change routing patterns:
- Update
docs/security/scopes-and-roles.md - Get Authority Guild + Security Guild sign-off
- Update
AuthorityClaimsProviderimplementations - Migration path for existing integrations