Skip to content

dedupe hand-rolled security-sensitive infrastructure across products #306

Description

@jeremi

Found during the 2026-07-07 architecture audit. Divergence between duplicated security checks was the top wrong-place-fix generator in the repo's fix history; this ticket removes the duplication rather than patching instances.

Scope

  • Rate limiting, implemented at least four times with no shared primitive: SelfAttestationRateLimiter (1,041 lines), MachineQuotaLimiter (its own doc comment says it mirrors the former), token-endpoint client-address limiting (api.rs:5539), sidecar TokenBucket, ConfigTrustRateLimit (this last is deleted by refactor: replace TUF governed-config machinery with signed config bundles (verify at boot, restart to apply) #314's break-glass simplification). Extract one shared limiter primitive (natural home: registry-platform-cache or a small platform module).
  • Error bodies: Notary hand-rolls RFC 9457 problem responses (~59 inline json! bodies in api.rs alone, plus problem_json_response at api.rs:2681) while Relay renders everything through shared registry_platform_httpsec::Problem by construction. Port Notary onto the shared type so the error contract (stable codes, scrubbing) is enforced structurally.
  • Copy-adapt guard families: the 12-function require_self_attestation_* / require_delegated_attestation_* family (api.rs:8045-9031) and the repeated ~300-line handler prologues in evaluate / issue_credential / batch_evaluate / render (idempotency, principal classification, rate-limit consumption, audit attachment). Extract shared guards so a fix cannot silently miss one branch.
  • Connector read matrix: ~25 near-identical async read functions (standalone.rs:5436-7100, per connector kind x subject/context x lookup/query x record/observed_at x one/many). Collapse the matrix.
  • Sidecar adapter re-implements miniature versions of server subsystems (own audit pipeline, bearer/API-key auth, rate limiting, OAuth2 token cache, governed acceptance) inside one 7,738-line file. Share with platform/server where possible.

Coordination

Overlaps the god-file split ticket (#304); sequence the api.rs/standalone.rs items with it.

Acceptance

Security note

If this work surfaces a suspected vulnerability, report it per SECURITY.md; do not post details on this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:notaryRegistry Notary ownership.area:platformRegistryStack platform and cross-product ownership.area:relayRegistry Relay ownership.criticality:p2Priority/criticality P2.rustRust implementation work.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions