Add alpha-hardening ADRs and issue plan from pre-release audit.

Lock alpha scope, tracker auth, TOPLOC fraud verification, and deferred multi-tracker money-path work; supersede legacy fraud issues with ADR-0018.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
D.Popov
2026-07-04 23:12:09 +03:00
parent 7caf12980a
commit 68e057209c
35 changed files with 1550 additions and 4 deletions

View File

@@ -0,0 +1,45 @@
Status: ready-for-agent
# 02 — A2: Unified auth boundary for privileged and financial reads
## What to build
Replace header-presence stubs with a single auth middleware that resolves API keys, admin sessions, validator service tokens, and hive peer identity. Close leaks on financial and operator endpoints.
**Code refs:**
- `packages/tracker/meshnet_tracker/server.py``_handle_billing_forfeit` (~24292464) — H3: non-empty `Authorization` only
- `packages/tracker/meshnet_tracker/server.py``_handle_benchmark_hop_penalty` (~26502658), `_handle_benchmark_results` (~27452748) — H3
- `packages/tracker/meshnet_tracker/server.py``_handle_billing_summary` (~23662371) — H4
- `packages/tracker/meshnet_tracker/server.py``_handle_billing_settlements` (~24072412) — H4
- `packages/tracker/meshnet_tracker/server.py``_handle_registry_wallets` (~23912405) — H4
- `packages/tracker/meshnet_tracker/server.py``_session_account` (~2468+), `_handle_admin_accounts` (~25882608) — H4
- `packages/tracker/meshnet_tracker/accounts.py``session_account()`, `create_session()` only (session store; not handler wiring)
Per ADR-0017 §4: forfeit → validator or admin; benchmark → admin; billing summary/settlements/registry wallets → admin session. Forfeit validator identity: see `20-validator-service-token.md`.
## Test-first
1. Red: POST `/v1/billing/forfeit` with `Authorization: Bearer garbage` succeeds today — must require validator/admin identity.
2. Red: GET `/v1/billing/summary` without admin session returns 401/403.
3. Green: middleware + role checks; existing inference API-key path unchanged.
## Acceptance criteria
- [ ] Single `_require_auth(role=...)` (or equivalent) used by all privileged handlers
- [ ] Forfeit accepts only validator service token or admin session — not arbitrary Bearer strings
- [ ] Financial read endpoints require admin session (alpha posture)
- [ ] Benchmark write/read require admin or service token
- [ ] Integration tests for each endpoint class (reject unauth, accept valid)
## ADR links
- [ADR-0017](../../docs/adr/0017-tracker-authentication-and-authorization.md)
## Related
- `20-validator-service-token.md` — validator service token format, rotation, forfeit auth
## Blocked by
- `01-c1-gossip-auth.md` (shared auth config)