Files
neuron-tai/.scratch/alpha-hardening/issues/02-a2-unified-auth-boundary.md
D.Popov 68e057209c Add alpha-hardening ADRs and issue plan from pre-release audit.
Lock alpha scope, tracker auth, TOPLOC fraud verification, and deferred multi-tracker money-path work; supersede legacy fraud issues with ADR-0018.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-07-04 23:12:09 +03:00

2.3 KiB
Raw Blame History

Status: ready-for-agent

02 — A2: Unified auth boundary for privileged and financial reads

What to build

Replace header-presence stubs with a single auth middleware that resolves API keys, admin sessions, validator service tokens, and hive peer identity. Close leaks on financial and operator endpoints.

Code refs:

  • packages/tracker/meshnet_tracker/server.py_handle_billing_forfeit (~24292464) — H3: non-empty Authorization only
  • packages/tracker/meshnet_tracker/server.py_handle_benchmark_hop_penalty (~26502658), _handle_benchmark_results (~27452748) — H3
  • packages/tracker/meshnet_tracker/server.py_handle_billing_summary (~23662371) — H4
  • packages/tracker/meshnet_tracker/server.py_handle_billing_settlements (~24072412) — H4
  • packages/tracker/meshnet_tracker/server.py_handle_registry_wallets (~23912405) — H4
  • packages/tracker/meshnet_tracker/server.py_session_account (~2468+), _handle_admin_accounts (~25882608) — H4
  • packages/tracker/meshnet_tracker/accounts.pysession_account(), create_session() only (session store; not handler wiring)

Per ADR-0017 §4: forfeit → validator or admin; benchmark → admin; billing summary/settlements/registry wallets → admin session. Forfeit validator identity: see 20-validator-service-token.md.

Test-first

  1. Red: POST /v1/billing/forfeit with Authorization: Bearer garbage succeeds today — must require validator/admin identity.
  2. Red: GET /v1/billing/summary without admin session returns 401/403.
  3. Green: middleware + role checks; existing inference API-key path unchanged.

Acceptance criteria

  • Single _require_auth(role=...) (or equivalent) used by all privileged handlers
  • Forfeit accepts only validator service token or admin session — not arbitrary Bearer strings
  • Financial read endpoints require admin session (alpha posture)
  • Benchmark write/read require admin or service token
  • Integration tests for each endpoint class (reject unauth, accept valid)
  • 20-validator-service-token.md — validator service token format, rotation, forfeit auth

Blocked by

  • 01-c1-gossip-auth.md (shared auth config)