Add alpha-hardening ADRs and issue plan from pre-release audit.

Lock alpha scope, tracker auth, TOPLOC fraud verification, and deferred multi-tracker money-path work; supersede legacy fraud issues with ADR-0018.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
D.Popov
2026-07-04 23:12:09 +03:00
parent 7caf12980a
commit 68e057209c
35 changed files with 1550 additions and 4 deletions

View File

@@ -0,0 +1,41 @@
Status: ready-for-agent
# 01 — C1: Authenticate hive gossip endpoints
## What to build
Add authenticated peer identity to all tracker gossip mutation endpoints. Today any caller can push billing, account, and stats events without verification.
**Code refs:**
- `packages/tracker/meshnet_tracker/server.py``_handle_billing_gossip` (~24142427)
- `packages/tracker/meshnet_tracker/server.py``_handle_accounts_gossip` (~26102623)
- `packages/tracker/meshnet_tracker/server.py``_handle_stats_gossip` (~23552364)
- `packages/tracker/meshnet_tracker/billing.py``apply_events` (~301311)
- `packages/tracker/meshnet_tracker/accounts.py``apply_events` (~220226)
Implement per ADR-0017 §3: shared hive HMAC (body + timestamp) or mutual TLS between configured tracker peers. Reject unauthenticated gossip with 401.
**Note:** `/v1/gossip` (node throughput fan-out, `server.py` ~1331) is **not** in scope for this issue — see ADR-0017 §3 out-of-scope note.
## Test-first
1. Red: unauthenticated POST to `/v1/billing/gossip` applies a credit event today — test must fail after fix.
2. Red: authenticated peer with valid HMAC applies events; invalid/missing auth returns 401 and `applied: 0`.
3. Green: implement verifier + config (`--hive-secret` or peer cert paths).
## Acceptance criteria
- [ ] `/v1/billing/gossip`, `/v1/accounts/gossip`, `/v1/stats/gossip` reject requests without valid hive auth
- [ ] Authenticated peers replicate events as today (id-dedup preserved)
- [ ] Config documented for multi-tracker dev setups
- [ ] Tests cover reject + accept paths without live network
## ADR links
- [ADR-0017](../../docs/adr/0017-tracker-authentication-and-authorization.md)
- [ADR-0016](../../docs/adr/0016-alpha-scope-and-known-limitations.md)
## Blocked by
None — implement alongside or immediately before `02-a2-unified-auth-boundary.md`.