ZDDC/zddc/cmd/zddc-server at a85b25ce0862b90cfec92b6f9a909c7f0fde68b8 - VARASYS/ZDDC

History

ZDDC a85b25ce08 feat(handler): audit log records active_admin alongside elevated The access log now reports whether the elevated user actually held admin authority on the request's target path — i.e., whether the single bypass branch in policy.InternalDecider.Allow would have fired here. Three states fall out: elevated=false, active_admin=false: normal user elevated=true, active_admin=false: opted into admin but no admin grant on this path (subtree- admin out of scope) elevated=true, active_admin=true: admin authority active for this path — WORM/ACL bypass Implementation: AccessLogMiddleware gains a cfg parameter and calls activeAdminForRequest at log emission, walking the closest existing ancestor (same logic the file API uses to build its ACL chain). The cascade is mtime-cached upstream so the per-request cost is one map lookup in the common case. Audit value: a reviewer can spot at a glance whether a destructive write was authorized by ACL or by admin bypass. Plus "elevated=true active_admin=false" rows surface users who tried to elevate outside their actual scope. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-18 09:26:13 -05:00
..
main.go	feat(handler): audit log records active_admin alongside elevated	2026-05-18 09:26:13 -05:00
main_test.go	feat(zddc): defaults — browse hosts the markdown editor for working/+reviewing/	2026-05-13 10:34:06 -05:00

ZDDC a85b25ce08 feat(handler): audit log records active_admin alongside elevated

The access log now reports whether the elevated user actually held
admin authority on the request's target path — i.e., whether the
single bypass branch in policy.InternalDecider.Allow would have
fired here. Three states fall out:

  elevated=false, active_admin=false: normal user
  elevated=true,  active_admin=false: opted into admin but no admin
                                       grant on this path (subtree-
                                       admin out of scope)
  elevated=true,  active_admin=true:  admin authority active for
                                       this path — WORM/ACL bypass

Implementation: AccessLogMiddleware gains a cfg parameter and calls
activeAdminForRequest at log emission, walking the closest existing
ancestor (same logic the file API uses to build its ACL chain).
The cascade is mtime-cached upstream so the per-request cost is one
map lookup in the common case.

Audit value: a reviewer can spot at a glance whether a destructive
write was authorized by ACL or by admin bypass. Plus "elevated=true
active_admin=false" rows surface users who tried to elevate outside
their actual scope.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-18 09:26:13 -05:00

main.go

feat(handler): audit log records active_admin alongside elevated

2026-05-18 09:26:13 -05:00

main_test.go

feat(zddc): defaults — browse hosts the markdown editor for working/+reviewing/

2026-05-13 10:34:06 -05:00