fix(kernel): preserve device attenuation across authority views#1238
Open
joshuajbouw wants to merge 11 commits into
Open
fix(kernel): preserve device attenuation across authority views#1238joshuajbouw wants to merge 11 commits into
joshuajbouw wants to merge 11 commits into
Conversation
This was referenced Jul 14, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR closes #1237 by ensuring the authenticating device’s DeviceScope attenuation is consistently applied across kernel “secondary” authority views (capsule inventory surfaces, admin agent/group listing, and pair-device delegation), and by hardening profile-cache invalidation against concurrent stale-load republish.
Changes:
- Centralizes device-scope resolution into a shared helper and applies it to capsule inventory visibility plus agent/group list “global view” gates.
- Tightens pair-device issuing rules so scoped requests containing a bare
*require effectiveself:auth:pair:admin, and unknown/malformed/revoked device IDs fail closed. - Makes
astrid-capsule’sPrincipalProfileCacheinvalidation generation-aware to prevent stale concurrent disk loads from republishing pre-invalidation authority.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| crates/astrid-kernel/src/kernel_router/tests.rs | Adds regression coverage asserting device attenuation is preserved across capsule inventory endpoints and unknown/malformed device IDs fail closed. |
| crates/astrid-kernel/src/kernel_router/mod.rs | Wires device_key_id into capsule inventory visibility and centralizes device scope resolution for request authorization and visibility. |
| crates/astrid-kernel/src/kernel_router/device_scope.rs | Introduces shared, fail-closed device-scope resolver for kernel authority checks. |
| crates/astrid-kernel/src/kernel_router/admin/state_tests.rs | Adds regression ensuring agent list global visibility is attenuated by device scope. |
| crates/astrid-kernel/src/kernel_router/admin/state_tests_group.rs | Adds regression ensuring group list global visibility is attenuated by device scope. |
| crates/astrid-kernel/src/kernel_router/admin/pair_device_tests.rs | Expands coverage for unknown/revoked issuer devices, universal * scoped mint gate, and deny inheritance behavior. |
| crates/astrid-kernel/src/kernel_router/admin/pair_device_handlers.rs | Applies authenticated device scope to the issuer effective-capability checks and adds universal * scoped mint gate. |
| crates/astrid-kernel/src/kernel_router/admin/mod.rs | Ensures admin dispatch passes authenticated device id through for secondary views and delegation. |
| crates/astrid-kernel/src/kernel_router/admin/handlers.rs | Applies authenticated device scope when deciding whether AgentList can return the global roster. |
| crates/astrid-kernel/src/kernel_router/admin/group.rs | Applies authenticated device scope when deciding whether GroupList can return the global group view. |
| crates/astrid-capsule/src/profile_cache.rs | Adds generation tracking so invalidation prevents stale concurrent loads from republishing prior profiles. |
| CHANGELOG.md | Documents the security fix under [Unreleased]. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
5b5cbcd to
b93409c
Compare
This was referenced Jul 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Linked Issue
Closes #1237
Refs #1228 and astrid-runtime/rfcs#36.
Summary
Preserves the authenticating device's attenuation across every kernel authority view touched by capsule inventory, agent/group listing, and pair-device delegation. No product-specific trust path or public wire change is introduced.
Changes
Fulldevice behaviorself:auth:pair:adminbefore a scoped child may contain bare*Verification
cargo fmt --all -- --checkgit diff --checkFull, scoped allow/deny, malformed, unknown, revoked, concurrent stale-profile, cross-principal invalidation, and denial-reason opacityChecklist
[Unreleased]