Lock alpha scope, tracker auth, TOPLOC fraud verification, and deferred multi-tracker money-path work; supersede legacy fraud issues with ADR-0018. Co-authored-by: Cursor <cursoragent@cursor.com>
4.0 KiB
ADR-0017: Tracker authentication and authorization
Status: Accepted
Context
The tracker exposes three overlapping trust domains:
- Client API access — Bearer API keys for inference and billing (partially gated today).
- Operator/admin access — session-based accounts in
packages/tracker/meshnet_tracker/accounts.py(registration, login, admin listing). - Hive replication — gossip endpoints that mutate billing, accounts, and stats without authentication today.
Financial and registry endpoints leak through inconsistent checks: some handlers require only a non-empty Authorization header (header-presence stub), while gossip accepts arbitrary peer events. Alpha requires a single auth boundary before any state mutation or privileged read.
Decisions
1. Account subsystem (accounts.py)
- First registered account is admin; subsequent accounts are
user. - Login identifiers: email or wallet address + PBKDF2-SHA256 password.
- API keys (
sk-mesh-…) are scoped to an account; revocation is event-sourced and gossip-replicated. - Sessions are local (bearer tokens in memory, 7-day TTL) — not replicated across the hive. Each tracker validates its own sessions.
- Account mutations persist to SQLite and replicate via
/v1/accounts/gossipevents.
2. Client inference auth
POST /v1/chat/completionsrequires a valid, non-revoked API key and positive ledger balance (402 if broke).- Starting credit is 0 for new API keys (ADR-0016 / issue C5). No implicit faucet; clients must deposit mock-USDT via bound wallet (US-032) or admin credit.
3. Gossip auth (alpha blocker)
All hive mutation endpoints require authenticated peer identity:
/v1/billing/gossip— billing event replication/v1/accounts/gossip— account/key replication/v1/stats/gossip— rolling RPM merge
Acceptable alpha mechanisms (pick one in implementation):
- Shared hive secret (HMAC over request body + timestamp, configured on all trackers), or
- Mutual TLS between tracker peers (extends ADR-0010 relay TLS pattern).
Followers must reject events from unauthenticated callers. Read-only endpoints (/dashboard, /v1/stats GET) may remain public on LAN alpha deployments.
Out of scope (alpha): POST /v1/gossip — node throughput / peer fan-out gossip (server.py ~1331), distinct from hive mutation endpoints above. Document as unauthenticated alpha limitation; authenticate in a future ADR amendment when node identity binding exists (issue 01 tracks hive endpoints only).
4. Privileged operator endpoints
These require real auth — not header presence alone:
| Endpoint | Required role |
|---|---|
POST /v1/billing/forfeit |
Validator service identity or admin session |
POST /v1/benchmark/hop-penalty |
Admin session or service token |
GET /v1/benchmark/results |
Admin session or service token |
GET /v1/admin/accounts |
Admin session |
GET /v1/billing/summary, /v1/billing/settlements, /v1/registry/wallets |
Admin session (alpha: restrict financial reads) |
The unified auth middleware resolves: API key → account; session token → account + role; service token → validator; hive HMAC → peer.
5. Node registration
Node POST /v1/register is open (ADR-0016) but banned wallets are rejected at registration and excluded from routing. Wallet binding for client deposits (POST /v1/wallet/register) requires a valid API key and cryptographic ownership proof (issue C6).
Consequences
- Gossip authentication (C1) and unified auth boundary (A2) are prerequisites for fraud penalties and billing fixes — an attacker can otherwise forge credits, strikes, or forfeit events.
- Session locality means admin login is per-tracker URL; document in runbooks.
- Multi-tracker auth evolution (client-signed commands) is deferred to ADR-0019.
Related
- ADR-0016 (alpha scope)
- ADR-0015 (billing gate on inference)
.scratch/alpha-hardening/issues/01-c1-gossip-auth.md,02-a2-unified-auth-boundary.md