VARASYS/ZDDC - Forgejo: Beyond coding. We forge.

VARASYS/ZDDC

Fork 0

Commit graph

Author	SHA1	Message	Date
ZDDC	df19a63853	refactor(policy): drop strict-ancestor rule for .zddc edits The rule said: an admin granted in /<dir>/.zddc can edit deeper .zddc files but NOT the one that grants their own authority. Intended to prevent self-elevation, peer-addition, and delegator- removal. Three problems: - "Add peers" isn't an attack — it's the common collaboration case. Project creator can't grant a teammate access without bothering a super-admin every time. - "Remove the delegator" doesn't work. Root admin authority lives in the ROOT .zddc and cascades down regardless of what's in /<dir>/.zddc; subtree admins can't touch it. - "Self-elevation" within a subtree is meaningless. They already have rwcda there. Replacement model: admins in /<dir>/.zddc OWN /<dir>/ and everything beneath, including the .zddc itself. They can add collaborators, modify ACLs, even remove themselves. Self-removal is a recoverable footgun — root super-admins always retain authority via the root cascade and can restore. What stays: - The admins: field as a load-bearing key (drives IsActiveAdmin + sudo-style elevation + WORM bypass). - Bootstrap via root .zddc hand-editing. - IsAdminForChain(chain, email, excludeLeaf bool) signature — ModeStrict / NIST AC-6 deployments can still opt into the strict- ancestor walk if they need it. Tests flipped to match the new contract; ProjectCreate flow now gives the creator real control over their project root. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-18 10:47:04 -05:00
ZDDC	cfa7732183	test(handler): lock-in invariants for admin/elevation/WORM behavior Baseline test battery that pins the current auth-decision behavior so the upcoming consolidation refactor (single bypass site in InternalDecider.Allow) is validated against a green baseline. Each test names one invariant; failure messages identify exactly which property regressed. Coverage: - Un-elevated admin cannot bypass WORM (PUT to issued/ → 403). - Un-elevated admin cannot edit .zddc (Principal.gate() blocks). - Elevated admin bypasses WORM (positive control). - Elevated subtree admin writes within scope, blocked outside it. - Strict-ancestor rule: subtree admin cannot edit own subtree's .zddc, can edit deeper .zddc. - Empty email never matches. - WORM cr survives for un-elevated document_controller (create OK, overwrite still stripped). - project_team has read-only outside their auto-own home. - Forward-auth /.auth/admin gates strictly on ROOT admins:. wormbypass_test.go retained as the original repro of the live bitnest observation (un-elevated user write succeeded under --no-auth=1). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-18 09:12:37 -05:00

Author

SHA1

Message

Date

ZDDC

df19a63853

refactor(policy): drop strict-ancestor rule for .zddc edits

The rule said: an admin granted in /<dir>/.zddc can edit deeper
.zddc files but NOT the one that grants their own authority.
Intended to prevent self-elevation, peer-addition, and delegator-
removal.

Three problems:

- "Add peers" isn't an attack — it's the common collaboration case.
  Project creator can't grant a teammate access without bothering a
  super-admin every time.
- "Remove the delegator" doesn't work. Root admin authority lives
  in the ROOT .zddc and cascades down regardless of what's in
  /<dir>/.zddc; subtree admins can't touch it.
- "Self-elevation" within a subtree is meaningless. They already
  have rwcda there.

Replacement model: admins in /<dir>/.zddc OWN /<dir>/ and everything
beneath, including the .zddc itself. They can add collaborators,
modify ACLs, even remove themselves. Self-removal is a recoverable
footgun — root super-admins always retain authority via the root
cascade and can restore.

What stays:
- The admins: field as a load-bearing key (drives IsActiveAdmin
  + sudo-style elevation + WORM bypass).
- Bootstrap via root .zddc hand-editing.
- IsAdminForChain(chain, email, excludeLeaf bool) signature —
  ModeStrict / NIST AC-6 deployments can still opt into the strict-
  ancestor walk if they need it.

Tests flipped to match the new contract; ProjectCreate flow now
gives the creator real control over their project root.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-18 10:47:04 -05:00

ZDDC

cfa7732183

test(handler): lock-in invariants for admin/elevation/WORM behavior

Baseline test battery that pins the current auth-decision behavior so
the upcoming consolidation refactor (single bypass site in
InternalDecider.Allow) is validated against a green baseline.

Each test names one invariant; failure messages identify exactly
which property regressed. Coverage:

- Un-elevated admin cannot bypass WORM (PUT to issued/ → 403).
- Un-elevated admin cannot edit .zddc (Principal.gate() blocks).
- Elevated admin bypasses WORM (positive control).
- Elevated subtree admin writes within scope, blocked outside it.
- Strict-ancestor rule: subtree admin cannot edit own subtree's
  .zddc, can edit deeper .zddc.
- Empty email never matches.
- WORM cr survives for un-elevated document_controller (create OK,
  overwrite still stripped).
- project_team has read-only outside their auto-own home.
- Forward-auth /.auth/admin gates strictly on ROOT admins:.

wormbypass_test.go retained as the original repro of the live bitnest
observation (un-elevated user write succeeded under --no-auth=1).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-18 09:12:37 -05:00

2 commits