Deliver P4 strategic tranche: ADR, P2P auth token, async signature tests.

johnteee · cursoragent · johnteee · commit 3a85773da105 · 2026-05-29T21:05:06.000+08:00
Document JSONL/NFS and MCP TLS posture (ADR 0008), optional
TEAAGENT_FEDERATED_SIGNATURE_TOKEN for file-based multi-sig, fix signature
poll when pending_approvals is created late, verify jaraco.context&gt;=6.1.0 in
selftest, and add async collect_approval_signatures regression tests.

Constraint: HTTP P2P transport and SQLite audit migration remain future work.
Tested: tests/test_federated_sync.py (21 passed); pre-commit pytest smoke (106 passed).
Confidence: high
Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/SECURITY.md b/SECURITY.md
@@ -205,6 +205,11 @@ Remaining concurrency limitations:
 
 ## Dependency auditing
 
+**CVE-2026-23949 (`jaraco.context` Zip Slip):** TeaAgent constrains transitive
+installs to `jaraco-context>=6.1.0` via `[tool.uv] constraint-dependencies` in
+`pyproject.toml`. `teaagent selftest` fails if an older `jaraco.context` is present
+in the environment (Dependabot alert #10 should clear after lockfile rescan).
+
 CI runs `pip-audit` on the editable install and on `uv export` output (see
 `.github/workflows/security.yml`). Local check:
 
diff --git a/docs/adr/0008-p4-strategic-posture.md b/docs/adr/0008-p4-strategic-posture.md
@@ -0,0 +1,55 @@
+# ADR 0008: P4 strategic posture (storage, TLS, P2P auth)
+
+## Status
+
+Accepted — incremental delivery; full multi-node production remains future work.
+
+## Context
+
+Post-audit remediation P1–P3 closed harness correctness, docs, and CI gates.
+P4 items are quarter-scale: distributed JSONL, MCP TLS, authenticated P2P
+multi-sig transport, and transitive dependency hygiene (Dependabot #10 /
+CVE-2026-23949 on `jaraco.context`).
+
+## Decisions
+
+### 1. JSONL locking and NFS
+
+- **Single-node / single-writer workspace:** keep `fcntl.LOCK_EX` on audit and
+  memory JSONL; `atomic_write_text` for RunStore and federated state files.
+- **NFS or multi-writer shared roots:** not supported for JSONL stores; operators
+  must use one writer per workspace or migrate hot paths to SQLite/Postgres
+  (OAuth store and Context Bus already SQLite-backed).
+- **Migration path (future):** optional `SQLiteAuditStore` / shared DB for
+  RunStore behind feature flags — not started in P4 tranche.
+
+### 2. MCP TLS
+
+- **No native TLS in `serve_mcp_http`** — same as ADR 0005; terminate TLS at
+  Caddy/nginx (see `templates/reverse-proxy/`).
+- **`TEAAGENT_STRICT_LOCAL=1`** requires bearer/OAuth even on loopback for MCP HTTP.
+
+### 3. Authenticated P2P multi-sig (file transport)
+
+- File-based multi-sig remains **experimental** (not production WAN transport).
+- **P4 tranche:** optional `TEAAGENT_FEDERATED_SIGNATURE_TOKEN` — signature JSON
+  files must carry matching `auth_token` when the env var is set.
+- **Future:** HTTP webhook channel with Bearer token (same shape as vote relay);
+  reuse `surface_auth` token files.
+
+### 4. `jaraco.context` (CVE-2026-23949)
+
+- Constrain transitive installs to **`jaraco-context>=6.1.0`** via `[tool.uv]`
+  `constraint-dependencies` in `pyproject.toml`.
+- Security selftest verifies installed version when the package is present.
+
+## Consequences
+
+- Operators on NFS must not run concurrent TeaAgent writers on the same JSONL paths.
+- WAN MCP and federated multi-sig require reverse proxy + env tokens until HTTP P2P ships.
+- Dependabot alert #10 should clear once GitHub rescans `uv.lock` at 6.1.2+.
+
+## Alternatives considered
+
+- **Native MCP TLS:** rejected — duplicates proxy features and cert rotation burden.
+- **Immediate JSONL→DB migration:** deferred — large schema and replay compatibility work.
diff --git a/docs/architecture.md b/docs/architecture.md
@@ -306,11 +306,14 @@ User / CLI
 | `AuditLogger`    | JSONL   | `fcntl.LOCK_EX` + `fsync`            | Per-run event log            |
 | `MemoryCatalog`  | JSONL   | `fcntl.LOCK_EX` + `fsync`            | Workspace observations       |
 | `RunStore`       | JSONL   | `atomic_write_text` (lock + replace) | Run history and replay       |
-| `UltraworkStore` | JSONL   | `atomic_write_text`                  | Worker lifecycle records     |
+| `UltraworkStore`  | JSONL   | `atomic_write_text`                  | Worker lifecycle records     |
 | `SQLiteOAuthStore`| SQLite | WAL + `BEGIN IMMEDIATE`              | OAuth clients/codes/nonces   |
 | `ContextBus`      | SQLite | WAL; per-thread connections        | Cross-agent Delta cards      |
 | `FederatedGraphSync` | JSON | none (single-writer file)         | Graph sync state + exports   |
 
+JSONL rows assume a **single writer per workspace** on a local or advisory-lock-safe
+filesystem. NFS multi-writer shared roots are unsupported — see [ADR 0008](adr/0008-p4-strategic-posture.md).
+
 All state is externalized to the filesystem. In-memory runner state is
 temporary only — every meaningful event persists to disk before the caller
 sees the result.
diff --git a/docs/http-surface-auth.md b/docs/http-surface-auth.md
@@ -39,6 +39,7 @@ When `--api-token-file` is omitted, relay serve loads the first existing file:
 | `TEAAGENT_ALLOW_DEV_SIGNATURES=1` | Allow dev-hash signatures (multi-sig / relay dev mode only) |
 | `TEAAGENT_PLUGINS_STRICT=1` | Block unverified plugin entry points (site-packages / unknown source) |
 | `TEAAGENT_PRECOMMIT_FULL=1` | Run full pytest in pre-commit (default: smoke subset) |
+| `TEAAGENT_FEDERATED_SIGNATURE_TOKEN` | Require matching `auth_token` on file-based P2P approval signatures |
 
 ## Headers
 
@@ -80,6 +81,26 @@ teaagent consensus relay serve \
 
 Requires client certificates signed by `client-ca.pem`.
 
+## MCP HTTP TLS (native TLS not supported)
+
+`teaagent mcp serve --http` does **not** terminate TLS in-process (see
+[ADR 0005](adr/0005-mcp-streamable-http.md) and [ADR 0008](adr/0008-p4-strategic-posture.md)).
+For remote clients:
+
+1. Bind MCP to loopback (`127.0.0.1`) or a private interface.
+2. Terminate TLS at Caddy/nginx using [`templates/reverse-proxy/`](../templates/reverse-proxy/).
+3. Set `TEAAGENT_STRICT_LOCAL=1` when the proxy forwards to loopback so bearer/OAuth
+   is still required on the upstream hop.
+
+## Federated multi-sig file transport
+
+| Variable | Effect |
+|----------|--------|
+| `TEAAGENT_FEDERATED_SIGNATURE_TOKEN` | When set, P2P signature files under `.teaagent/pending_approvals/` must include matching `auth_token` |
+
+File-based multi-sig remains experimental; WAN deployments should use relay/control-plane
+Bearer tokens until HTTP P2P transport ships (ADR 0008).
+
 ## Reverse proxy templates
 
 See [`templates/reverse-proxy/`](../templates/reverse-proxy/) for Caddy and nginx examples that:
diff --git a/docs/plans/remediation-roadmap.md b/docs/plans/remediation-roadmap.md
@@ -60,12 +60,16 @@ Principle: **smallest verifiable step** per phase; no big-bang refactors.
 
 ## Phase P4 — Strategic (quarters)
 
-| Item | Reference |
-|------|-----------|
-| Distributed JSONL locks / DB migration | threat-model, NFS note |
-| Native MCP TLS | reverse-proxy termination |
-| Authenticated P2P multi-sig transport | federated_sync HTTP channel |
-| Dependabot #10 dependency bump | Security UI |
+| # | Item | Status | Reference |
+|---|------|--------|-----------|
+| P4.1 | JSONL / NFS posture + migration ADR | ✅ tranche | [ADR 0008](../adr/0008-p4-strategic-posture.md), threat-model NFS row |
+| P4.2 | MCP TLS via reverse proxy (no native TLS) | ✅ documented | [http-surface-auth.md](../http-surface-auth.md), ADR 0008 |
+| P4.3 | File P2P signature `auth_token` when `TEAAGENT_FEDERATED_SIGNATURE_TOKEN` set | ✅ shipped | `federated_sync.py`, `security_env.py` |
+| P4.3b | HTTP P2P multi-sig channel | 🔲 future | ADR 0008 — reuse relay bearer shape |
+| P4.4 | `jaraco.context` CVE-2026-23949 (Dependabot #10) | ✅ constrained | `pyproject.toml` `jaraco-context>=6.1.0`, `selftest` version check |
+| P4.5 | Async `collect_approval_signatures` unit tests | ✅ shipped | `tests/test_federated_sync.py` |
+
+Full SQLite audit/run migration remains **P4+ / backlog** — not started.
 
 ---
 
diff --git a/docs/threat-model.md b/docs/threat-model.md
@@ -25,13 +25,14 @@ This document maps threats to mitigations and verification. It complements [tool
 | Context Bus SQLite lock contention / transaction leaks | Medium | Per-thread SQLite connections (`threading.local`); `timeout=5.0` on connect; WAL pragmas on each new connection; `_execute_with_retry` with exponential backoff (5 retries) + generation-based reconnect (per-thread only); explicit `conn.rollback()` on write failure; `cleanup_old_deltas` scoped to `workflow_id` | `tests/test_phase5_context_bus.py` (incl. parallel publish + workflow-scoped cleanup), `tests/test_remediation_p1_p2.py` | — |
 | Federated sync state corruption on crash | Medium | `atomic_write_text` + file lock on `federated_sync_state.json`; lock on pending changes | `tests/test_federated_sync.py` | File-based multi-sig quorum still experimental |
 | JIT approval server race on approve/reject | Medium | `threading.Lock` on `_requests` / `_pending_events` | `tests/test_phase5_jit_approval_server.py` | Approve from thread without running event loop still drops SSE broadcast |
-| Asyncio event loop starvation from synchronous P2P approval polling | High | `collect_approval_signatures` is `async def` with `asyncio.sleep`; blocking I/O uses `run_in_executor`; `_collect_peer_signatures` dispatches via `run_coroutine_threadsafe` or `asyncio.run()` | `tests/test_federated_sync.py`, `tests/test_policy.py` (`MultiSigQuorumTests`) | Dedicated async poll unit test still optional |
+| Asyncio event loop starvation from synchronous P2P approval polling | High | `collect_approval_signatures` is `async def` with `asyncio.sleep`; blocking I/O uses `run_in_executor`; `_collect_peer_signatures` dispatches via `run_coroutine_threadsafe` or `asyncio.run()` | `tests/test_federated_sync.py` (`test_collect_approval_signatures_async_non_blocking`, quorum/dedup) | — |
 | Shell normalization bypass via brace expansion / process substitution | High | Multi-pass `_normalize_shell_arg` now handles `{a,b}` expansion, `<()` process substitution, and non-string/non-list fallback | `tests/test_policy.py` | Catches `/pr{od,oduction}`, `<(echo /prod)`, dict-type command args |
 | Protected directory bypass via alternate write tools | High | `workspace_write_*` tool pattern + `.git*` argument pattern covers all write tools and subdirectory contents | `tests/test_policy.py`, `tests/test_file_policy.py` | Previously only `workspace_write_file` was covered |
 | Swarm hang / undetected thread deadlock | High | `ThreadPoolExecutor.as_completed(timeout=...)` with partial result collection; `Subagent` tracks `is_running`/`last_heartbeat`; `_heartbeat_monitor_loop` uses thread-ref liveness instead of defunct PID-based `is_process_alive`; heartbeat hangs merged into swarm `results` | `tests/test_swarm.py`, `tests/test_remediation_p1_p2.py` | Previously heartbeat monitor checked parent PID (always alive) — now detects actual thread hangs |
 | Git stash stack corruption in parallel sandboxes | Critical | `stash_save` returns actual stash reflog selector; `stash_pop` accepts specific ref | `tests/test_sandbox.py` | Previously hardcoded `stash@{0}` caused cross-agent stash confusion |
 | Workflow self-healing infinite recursion | High | `_execute_step` accepts `current_attempt` parameter preserved across recursive re-execution; abort guard checks attempts against max before proceeding | `tests/test_phase5_workflow_engine.py` | Previously `self_healing_attempts` reset to 0 on new `StepExecution` — now passed through recursion chain |
 | Workflow strict validation rollback never executed | High | `execute_workflow` integrates `UndoJournal` + `AuditLogger`; checks `result.requires_rollback` and calls `journal.restore()` on strict validation failure | `tests/test_remediation_p1_p2.py` (`WorkflowRollbackTests`), `tests/test_phase5_workflow_engine.py` | Previously `requires_rollback` flag set but never consumed — now triggers full workspace undo |
+| NFS / multi-writer JSONL corruption | High | Single-writer per workspace; `fcntl` + `atomic_write_text` on supported local FS; SQLite for Context Bus / OAuth | ADR 0008, `teaagent selftest` | Do not share `.teaagent/runs/*.jsonl` across concurrent hosts on NFS without DB migration |
 
 ## Trust Boundaries
 
diff --git a/teaagent/federated_sync.py b/teaagent/federated_sync.py
@@ -19,6 +19,7 @@
 from typing import Any, Optional
 
 from teaagent.graphqlite_store import GraphQLiteGraphStore
+from teaagent.security_env import federated_signature_token
 from teaagent.storage import atomic_write_text
 
 logger = logging.getLogger(__name__)
@@ -534,21 +535,20 @@ async def collect_approval_signatures(
         seen_peers: set[str] = set()
         approvals_dir = self._root / '.teaagent' / 'pending_approvals'
 
-        if not approvals_dir.exists():
-            return signatures
-
         # Poll for incoming signature files using async sleep
         poll_interval = 0.1
-        max_polls = int(timeout_seconds / poll_interval)
+        max_polls = max(1, int(timeout_seconds / poll_interval))
         polls = 0
 
         loop = asyncio.get_running_loop()
 
         while polls < max_polls:
-            sig_files = await loop.run_in_executor(
-                None,
-                lambda: list(approvals_dir.glob(f'{request_id}_signature_*.json')),
-            )
+            sig_files: list[Path] = []
+            if approvals_dir.exists():
+                sig_files = await loop.run_in_executor(
+                    None,
+                    lambda: list(approvals_dir.glob(f'{request_id}_signature_*.json')),
+                )
 
             for sig_file in sig_files:
                 try:
@@ -557,6 +557,12 @@ async def collect_approval_signatures(
                         functools.partial(sig_file.read_text, encoding='utf-8'),
                     )
                     data = json.loads(content)
+                    expected_token = federated_signature_token()
+                    if (
+                        expected_token is not None
+                        and data.get('auth_token') != expected_token
+                    ):
+                        continue
                     peer_id = data['peer_id']
                     if peer_id in seen_peers:
                         continue
@@ -609,13 +615,16 @@ def submit_approval_signature(
             )
             sig_path.parent.mkdir(parents=True, exist_ok=True)
 
-            data = {
+            data: dict[str, Any] = {
                 'request_id': request_id,
                 'peer_id': peer_id,
                 'signature': signature,
                 'ssh_key_id': ssh_key_id,
                 'timestamp': time.time(),
             }
+            token = federated_signature_token()
+            if token is not None:
+                data['auth_token'] = token
 
             sig_path.write_text(json.dumps(data, indent=2), encoding='utf-8')
             return True
diff --git a/teaagent/security_env.py b/teaagent/security_env.py
@@ -22,3 +22,13 @@ def strict_local_services() -> bool:
 def plugins_strict_audit() -> bool:
     """Fail closed on unverified plugin entry points when set."""
     return _env_truthy('TEAAGENT_PLUGINS_STRICT')
+
+
+def federated_signature_token() -> str | None:
+    """Optional shared secret for file-based P2P approval signature files.
+
+    When set, ``submit_approval_signature`` embeds the token and
+    ``collect_approval_signatures`` ignores files with a missing or wrong token.
+    """
+    value = os.environ.get('TEAAGENT_FEDERATED_SIGNATURE_TOKEN', '').strip()
+    return value or None
diff --git a/teaagent/selftest.py b/teaagent/selftest.py
@@ -2,6 +2,7 @@
 
 from __future__ import annotations
 
+from importlib.metadata import PackageNotFoundError, version
 from pathlib import Path
 from typing import Any
 
@@ -12,6 +13,37 @@
 from teaagent.workspace_tools import build_workspace_tool_registry
 
 
+def _jaraco_context_version_ok() -> dict[str, Any]:
+    """CVE-2026-23949: jaraco.context < 6.1.0 has Zip Slip in tarball()."""
+    try:
+        installed = version('jaraco.context')
+    except PackageNotFoundError:
+        return {
+            'ok': True,
+            'skipped': True,
+            'detail': 'jaraco.context not installed',
+        }
+
+    parts = []
+    for segment in installed.split('.')[:3]:
+        segment = segment.split('+', 1)[0]
+        if not segment.isdigit():
+            return {
+                'ok': False,
+                'skipped': False,
+                'detail': f'unparseable jaraco.context version {installed!r}',
+            }
+        parts.append(int(segment))
+    while len(parts) < 3:
+        parts.append(0)
+    ok = tuple(parts) >= (6, 1, 0)
+    return {
+        'ok': ok,
+        'skipped': False,
+        'detail': f'jaraco.context=={installed}',
+    }
+
+
 def run_security_selftest(root: str | Path = '.') -> dict[str, Any]:
     """Run governance security checks without invoking pytest."""
     workspace = Path(root).resolve()
@@ -54,8 +86,9 @@ def run_security_selftest(root: str | Path = '.') -> dict[str, Any]:
         },
     ]
     audit_report = check_audit_completeness(sample_events)
+    jaraco_report = _jaraco_context_version_ok()
 
-    ok = not lint_errors and permission_ok and audit_report.ok
+    ok = not lint_errors and permission_ok and audit_report.ok and jaraco_report['ok']
     return {
         'ok': ok,
         'tool_lint': {
@@ -76,4 +109,5 @@ def run_security_selftest(root: str | Path = '.') -> dict[str, Any]:
             'ok': audit_report.ok,
             'issues': audit_report.issues,
         },
+        'jaraco_context': jaraco_report,
     }
diff --git a/tests/test_federated_sync.py b/tests/test_federated_sync.py
