Add fail-closed pipeline, service auth, CSRF, supply chain pinning, and CI hardening (M26)

Phase 1 — Fail-closed quarantine pipeline:
- Remote artifacts without pinned hashes now hard-fail (Stage 3)
- Missing modelscan hard-fails when require_scan is true (Stage 5)
- Scanner versions (modelscan, cosign, llama-server) recorded in all stage results
- Watcher sends source URL, source revision, scanner versions, and policy hash to registry on promotion
- Model catalog entries gain expected_sha256 and expected_size_bytes fields
- Download path validates size/hash and restricts git-clone to allowlisted sources

Phase 2 — Localhost binding & service-to-service auth:
- Registry, tool-firewall, airlock default bind changed from 0.0.0.0 to 127.0.0.1
- Bootstrap service token generated at first boot (/run/secure-ai/service-token)
- Mutating endpoints (promote, delete, reload) require Bearer token; read-only endpoints stay open
- Graceful degradation: no token file = dev mode (no auth enforced)

Phase 3 — CSRF & session hardening:
- Double-submit cookie CSRF protection on all state-changing routes
- Transparent fetch() patching in base.html auto-includes X-CSRF-Token header
- Exemptions for service-to-service calls (valid Bearer token), pre-auth routes, and first-boot
- Session regeneration on login, secret key rotation on passphrase change (invalidates all sessions)
- Re-auth required for emergency panic level 2+

Phase 5 — Supply chain pinning:
- All Containerfile base images digest-pinned (python, golang, alpine)
- Python dependencies locked with pip-compile --generate-hashes
- Recipe base image pinning guidance added
- Container pin and action pin verification scripts

Phase 6 — CI/CD hardening:
- All GitHub Actions SHA-pinned with version comments
- CodeQL scanning workflow for Go and Python
- SBOM generation (CycloneDX) and cosign attestation in build workflow
- Pin enforcement CI job

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: SecAI-Hub

.github/scripts/check-action-pins.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# Verify all GitHub Actions use SHA-pinned versions
+set -euo pipefail
+ERRORS=0
+for f in .github/workflows/*.yml .github/workflows/*.yaml; do
+    [ -f "$f" ] || continue
+    while IFS= read -r line; do
+        # Match "uses: owner/repo@" lines that don't have a 40-char hex SHA
+        if echo "$line" | grep -qE '^\s*-?\s*uses:\s+[^/]+/[^@]+@' && \
+           ! echo "$line" | grep -qE '@[0-9a-f]{40}(\s|$)'; then
+            echo "ERROR: $f has unpinned action: $(echo "$line" | sed 's/^[[:space:]]*//')"
+            ERRORS=$((ERRORS + 1))
+        fi
+    done < "$f"
+done
+if [ $ERRORS -gt 0 ]; then
+    echo "FAIL: $ERRORS unpinned action(s) found"
+    exit 1
+fi
+echo "OK: All actions are SHA-pinned"

.github/scripts/check-container-pins.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+# Verify all Containerfiles use digest-pinned base images.
+# Usage: .github/scripts/check-container-pins.sh
+set -euo pipefail
+
+ERRORS=0
+WARNINGS=0
+
+for f in $(find services/ -name 'Containerfile' -o -name 'Dockerfile'); do
+    while IFS= read -r line; do
+        # Skip comments and empty lines
+        [[ "$line" =~ ^[[:space:]]*# ]] && continue
+        [[ -z "$line" ]] && continue
+
+        if echo "$line" | grep -qE '^FROM '; then
+            # Allow ARG-interpolated tags (e.g. ${COMPUTE}) with a warning
+            if echo "$line" | grep -q '\${'; then
+                if ! echo "$line" | grep -q '@sha256:'; then
+                    echo "WARN: $f has dynamic unpinned base image: $line"
+                    WARNINGS=$((WARNINGS + 1))
+                fi
+                continue
+            fi
+
+            if ! echo "$line" | grep -q '@sha256:'; then
+                echo "ERROR: $f has unpinned base image: $line"
+                ERRORS=$((ERRORS + 1))
+            fi
+        fi
+    done < "$f"
+done
+
+if [ $WARNINGS -gt 0 ]; then
+    echo "WARN: $WARNINGS dynamic base image(s) could not be verified (use per-variant pinning)"
+fi
+
+if [ $ERRORS -gt 0 ]; then
+    echo "FAIL: $ERRORS unpinned base image(s) found"
+    exit 1
+fi
+
+echo "OK: All static base images are digest-pinned"

.github/workflows/build.yml

@@ -29,10 +29,28 @@ jobs:
           - recipe.yml
     steps:
       - name: Build Custom Image
-        uses: blue-build/github-action@v1.11
+        uses: blue-build/github-action@24d146df25adc2cf579e918efe2d9bff6adea408 # v1.11.1
         with:
           recipe: ${{ matrix.recipe }}
           cosign_private_key: ${{ secrets.SIGNING_SECRET }}
           registry_token: ${{ github.token }}
           pr_event_number: ${{ github.event.number }}
           maximize_build_space: true
+
+      - name: Generate SBOM
+        if: github.event_name != 'pull_request'
+        uses: anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0
+        with:
+          image: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+          format: cyclonedx-json
+          output-file: sbom.cdx.json
+
+      - name: Attest SBOM
+        if: github.event_name != 'pull_request'
+        run: |
+          cosign attest --type cyclonedx \
+            --predicate sbom.cdx.json \
+            --key env://COSIGN_PRIVATE_KEY \
+            ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}

.github/workflows/ci.yml

@@ -28,8 +28,8 @@ jobs:
       matrix:
         service: [registry, tool-firewall, airlock]
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: "1.23"
           cache-dependency-path: services/${{ matrix.service }}/go.sum
@@ -52,8 +52,8 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: "1.23"
           cache-dependency-path: services/registry/go.sum
@@ -68,8 +68,8 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.12"
 
@@ -94,7 +94,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Lint shell scripts
         run: |
@@ -111,8 +111,8 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.12"
 
@@ -135,3 +135,12 @@ jobs:
                       errors += 1
           sys.exit(errors)
           "
+
+  check-pins:
+    name: Verify action pins
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - run: bash .github/scripts/check-action-pins.sh

.github/workflows/codeql.yml

@@ -0,0 +1,40 @@
+name: CodeQL Analysis
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly Monday 6am UTC
+
+permissions:
+  security-events: write
+  contents: read
+
+jobs:
+  analyze-go:
+    name: Analyze Go
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: github/codeql-action/init@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
+        with:
+          languages: go
+      - uses: github/codeql-action/autobuild@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
+      - uses: github/codeql-action/analyze@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
+        with:
+          category: go
+
+  analyze-python:
+    name: Analyze Python
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: github/codeql-action/init@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
+        with:
+          languages: python
+      - uses: github/codeql-action/autobuild@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
+      - uses: github/codeql-action/analyze@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
+        with:
+          category: python

files/system/usr/lib/systemd/system/secure-ai-airlock.service

@@ -10,11 +10,13 @@ Environment=BIND_ADDR=127.0.0.1:8490
 Environment=POLICY_PATH=/etc/secure-ai/policy/policy.yaml
 Environment=SOURCES_ALLOWLIST_PATH=/etc/secure-ai/policy/sources.allowlist.yaml
 Environment=AUDIT_LOG_PATH=/var/lib/secure-ai/logs/airlock-audit.jsonl
+Environment=SERVICE_TOKEN_PATH=/run/secure-ai/service-token
 
 # Filesystem isolation
 DynamicUser=yes
 LogsDirectory=secure-ai
 ReadOnlyPaths=/etc/secure-ai
+ReadOnlyPaths=/run/secure-ai
 ReadWritePaths=/var/lib/secure-ai/logs
 # NOTE: NO PrivateNetwork — airlock is the ONLY service with outbound access
 PrivateTmp=yes

files/system/usr/lib/systemd/system/secure-ai-quarantine-watcher.service

@@ -13,11 +13,13 @@ Environment=POLICY_PATH=/etc/secure-ai/policy/policy.yaml
 Environment=MODELS_LOCK_PATH=/etc/secure-ai/policy/models.lock.yaml
 Environment=AUDIT_LOG_PATH=/var/lib/secure-ai/logs/quarantine-audit.jsonl
 Environment=LLAMA_SERVER_BIN=/usr/bin/llama-server
+Environment=SERVICE_TOKEN_PATH=/run/secure-ai/service-token
 
 # Filesystem isolation
 DynamicUser=yes
 LogsDirectory=secure-ai
 ReadOnlyPaths=/etc/secure-ai
+ReadOnlyPaths=/run/secure-ai
 ReadWritePaths=/var/lib/secure-ai/quarantine
 ReadWritePaths=/var/lib/secure-ai/registry
 ReadWritePaths=/var/lib/secure-ai/logs

files/system/usr/lib/systemd/system/secure-ai-registry.service

@@ -10,12 +10,14 @@ Environment=BIND_ADDR=127.0.0.1:8470
 Environment=REGISTRY_DIR=/var/lib/secure-ai/registry
 Environment=REGISTRY_LOCK_PATH=/etc/secure-ai/policy/models.lock.yaml
 Environment=AUDIT_LOG_PATH=/var/lib/secure-ai/logs/registry-audit.jsonl
+Environment=SERVICE_TOKEN_PATH=/run/secure-ai/service-token
 
 # Filesystem isolation
 DynamicUser=yes
 StateDirectory=secure-ai/registry
 LogsDirectory=secure-ai
 ReadOnlyPaths=/etc/secure-ai
+ReadOnlyPaths=/run/secure-ai
 ReadWritePaths=/var/lib/secure-ai/registry
 ReadWritePaths=/var/lib/secure-ai/logs
 PrivateNetwork=yes

files/system/usr/lib/systemd/system/secure-ai-tool-firewall.service

@@ -9,11 +9,13 @@ ExecStart=/usr/libexec/secure-ai/tool-firewall
 Environment=BIND_ADDR=127.0.0.1:8475
 Environment=POLICY_PATH=/etc/secure-ai/policy/policy.yaml
 Environment=AUDIT_LOG_PATH=/var/lib/secure-ai/logs/tool-firewall-audit.jsonl
+Environment=SERVICE_TOKEN_PATH=/run/secure-ai/service-token
 
 # Filesystem isolation
 DynamicUser=yes
 LogsDirectory=secure-ai
 ReadOnlyPaths=/etc/secure-ai
+ReadOnlyPaths=/run/secure-ai
 ReadOnlyPaths=/var/lib/secure-ai/vault
 ReadWritePaths=/var/lib/secure-ai/logs
 PrivateNetwork=yes

files/system/usr/lib/systemd/system/secure-ai-ui.service

@@ -18,6 +18,7 @@ Environment=QUARANTINE_DIR=/var/lib/secure-ai/quarantine
 Environment=SECURE_AI_ROOT=/var/lib/secure-ai
 Environment=AUTH_DATA_DIR=/var/lib/secure-ai/auth
 Environment=AUDIT_LOG_PATH=/var/lib/secure-ai/logs/ui-audit.jsonl
+Environment=SERVICE_TOKEN_PATH=/run/secure-ai/service-token
 
 # Filesystem isolation
 DynamicUser=yes