Skip to content

fix(notary): preserve federation denial audit context#337

Merged
jeremi merged 2 commits into
mainfrom
agent/np29-federation-audit-parity-327
Jul 10, 2026
Merged

fix(notary): preserve federation denial audit context#337
jeremi merged 2 commits into
mainfrom
agent/np29-federation-audit-parity-327

Conversation

@jeremi

@jeremi jeremi commented Jul 10, 2026

Copy link
Copy Markdown
Member

Summary

Closes #327.

  • carry staged federation audit context through post-verification denial paths
  • retain assembled redacted context when federation response signing fails
  • keep pre-verification signature and emergency-denylist denials free of untrusted request metadata
  • strengthen federation HTTP coverage for replay, policy, claim mismatch, unknown/bad/denylisted keys, denylisted peer nodes, source-read ordering, signed stale-source errors, and raw-identifier non-disclosure
  • mark NP-29 Covered with named public evidence

Security review notes

This is security-sensitive audit and replay-path work.

  • Peer metadata enters the audit context only after the configured peer verifies the request signature.
  • Peer ids and request JTIs are keyed HMAC handles in emitted audit records.
  • Subject ids enter audit only through the existing pairwise subject-reference hash.
  • Raw subject ids, request JTIs, compact JWTs, credentials, and source tokens remain absent from audit records.
  • Invalid signatures, unknown keys, and emergency-denied keys and peer nodes retain minimal context because request claims are not trusted.
  • Replay insertion and all source-read ordering remain unchanged.
  • Audit hash construction now fails closed rather than silently dropping required context.
  • Audit sink failure behavior and existing success/signed-error audit behavior are unchanged.

Verification

Passed:

  • cargo fmt --check
  • git diff --check
  • release-map named-anchor existence check
  • cargo check --locked --workspace --all-targets
  • cargo clippy --locked --workspace --all-targets -- -D warnings
  • cargo clippy --locked -p registry-notary-server --all-targets -- -D warnings after the final review fix
  • cargo test --locked -p registry-notary-server
  • cargo test --locked -p registry-notary-server --features registry-notary-cel federation_ -- --test-threads=1
  • exact signing-failure finalization and isolated stale-source test filters
  • CARGO_PROFILE_TEST_DEBUG=0 cargo test --locked --workspace
  • cargo deny check
  • python3 release/scripts/check-gates-inventory.py
  • python3 -m unittest release/scripts/test_check_gates_inventory.py
  • products/notary: just openapi-check && just exposure-check
  • crates/registry-relay: just openapi-contract && just exposure-check

The full registry-notary-server CEL-feature suite reached 363 passing executions before the untouched cross_source_cel_claim_reads_dependencies_with_distinct_tokens test failed to build its router because its fixture omits the now-required deployment profile (deployment.profile_undeclared). The focused federation CEL suite passes, the default Notary suite passes, and root CI does not run the Notary all-feature suite. This PR does not mix that unrelated fixture repair into #327.

Docs-site checks were not run because docs/site did not change. The new amd64-only registryctl tutorial job is left to CI because the local host is arm64.

@jeremi jeremi force-pushed the agent/np29-federation-audit-parity-327 branch 2 times, most recently from fdea569 to cb2cc47 Compare July 10, 2026 10:54
jeremi added 2 commits July 10, 2026 18:23
Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
@jeremi jeremi force-pushed the agent/np29-federation-audit-parity-327 branch from cb2cc47 to e4002dc Compare July 10, 2026 11:24
@jeremi jeremi enabled auto-merge (squash) July 10, 2026 11:24
@jeremi jeremi merged commit b7951c9 into main Jul 10, 2026
11 checks passed
@jeremi jeremi deleted the agent/np29-federation-audit-parity-327 branch July 10, 2026 11:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Decide and implement federation denied-audit parity for NP-29

1 participant