You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Found during the 2026-07-07 architecture audit. Divergence between duplicated security checks was the top wrong-place-fix generator in the repo's fix history; this ticket removes the duplication rather than patching instances.
Scope
Rate limiting, implemented at least four times with no shared primitive: SelfAttestationRateLimiter (1,041 lines), MachineQuotaLimiter (its own doc comment says it mirrors the former), token-endpoint client-address limiting (api.rs:5539), sidecar TokenBucket, ConfigTrustRateLimit (this last is deleted by refactor: replace TUF governed-config machinery with signed config bundles (verify at boot, restart to apply) #314's break-glass simplification). Extract one shared limiter primitive (natural home: registry-platform-cache or a small platform module).
Error bodies: Notary hand-rolls RFC 9457 problem responses (~59 inline json! bodies in api.rs alone, plus problem_json_response at api.rs:2681) while Relay renders everything through shared registry_platform_httpsec::Problem by construction. Port Notary onto the shared type so the error contract (stable codes, scrubbing) is enforced structurally.
Copy-adapt guard families: the 12-function require_self_attestation_* / require_delegated_attestation_* family (api.rs:8045-9031) and the repeated ~300-line handler prologues in evaluate / issue_credential / batch_evaluate / render (idempotency, principal classification, rate-limit consumption, audit attachment). Extract shared guards so a fix cannot silently miss one branch.
Connector read matrix: ~25 near-identical async read functions (standalone.rs:5436-7100, per connector kind x subject/context x lookup/query x record/observed_at x one/many). Collapse the matrix.
Sidecar adapter re-implements miniature versions of server subsystems (own audit pipeline, bearer/API-key auth, rate limiting, OAuth2 token cache, governed acceptance) inside one 7,738-line file. Share with platform/server where possible.
Coordination
Overlaps the god-file split ticket (#304); sequence the api.rs/standalone.rs items with it.
Found during the 2026-07-07 architecture audit. Divergence between duplicated security checks was the top wrong-place-fix generator in the repo's fix history; this ticket removes the duplication rather than patching instances.
Scope
SelfAttestationRateLimiter(1,041 lines),MachineQuotaLimiter(its own doc comment says it mirrors the former), token-endpoint client-address limiting (api.rs:5539), sidecarTokenBucket,ConfigTrustRateLimit(this last is deleted by refactor: replace TUF governed-config machinery with signed config bundles (verify at boot, restart to apply) #314's break-glass simplification). Extract one shared limiter primitive (natural home:registry-platform-cacheor a small platform module).json!bodies inapi.rsalone, plusproblem_json_responseatapi.rs:2681) while Relay renders everything through sharedregistry_platform_httpsec::Problemby construction. Port Notary onto the shared type so the error contract (stable codes, scrubbing) is enforced structurally.require_self_attestation_*/require_delegated_attestation_*family (api.rs:8045-9031) and the repeated ~300-line handler prologues inevaluate/issue_credential/batch_evaluate/render(idempotency, principal classification, rate-limit consumption, audit attachment). Extract shared guards so a fix cannot silently miss one branch.standalone.rs:5436-7100, per connector kind x subject/context x lookup/query x record/observed_at x one/many). Collapse the matrix.Coordination
Overlaps the god-file split ticket (#304); sequence the api.rs/standalone.rs items with it.
Acceptance
httpsec::Problem.Security note
If this work surfaces a suspected vulnerability, report it per
SECURITY.md; do not post details on this issue.