Skip to content

fix(auth): expose local proofs for atomic backend commits#187

Open
marcus-pousette wants to merge 1 commit into
fix/auth-outbound-read-guardfrom
fix/atomic-local-auth-proof-handoff
Open

fix(auth): expose local proofs for atomic backend commits#187
marcus-pousette wants to merge 1 commit into
fix/auth-outbound-read-guardfrom
fix/atomic-local-auth-proof-handoff

Conversation

@marcus-pousette

@marcus-pousette marcus-pousette commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

Problem

A storage backend needs the verified signature and proof reference before committing a local operation if both records are to share one transaction.

There is also an integrity trap: the v0 operation reference identifies the document and operation id, but not the operation body. A retained proof must not be reused for a different body with the same id.

What changes

  • Add the backend-neutral LocalWriteAuthProof shape: signature plus optional proof reference.
  • Add an optional side-effect-free localOpProofs handoff to local auth sessions.
  • Return detached proof bytes aligned with the operations that were authorized.
  • Cryptographically verify retained proof material against the exact operation before reuse.
  • Fail closed for a non-local operation when no exact valid retained proof exists.

This PR exposes the handoff; the SQLite and PostgreSQL PRs later perform the atomic database commit.

Fast paths

  • Proof bytes already produced during local authorization are reused without re-signing.
  • Valid exact retained proofs keep the restart/forwarding path.
  • The hook is optional, so unauthenticated and custom sessions are unchanged.
  • Proof extraction performs no durable I/O.

Tests

  • auth sessions return detached, validated proof bytes
  • malformed or misaligned authorization is rejected
  • restart reuses a retained proof only for the exact signed operation
  • conflicting bodies with the same operation id fail closed

Stack

Stacked on #191. This is the proof-handoff foundation for #192, #194, #195, and #196.

@marcus-pousette marcus-pousette marked this pull request as draft July 11, 2026 22:35
@marcus-pousette

Copy link
Copy Markdown
Collaborator Author

Temporarily marked draft while rebasing this proof-handoff foundation off the superseded #182/#183 branches and onto the lean #188#191 auth stack. The proof contract/exact-body validation remain; preWriteState/scoped-write dependencies and obsolete tests are being removed before it is marked ready again.

@marcus-pousette marcus-pousette force-pushed the fix/atomic-local-auth-proof-handoff branch from e39a074 to 1462d42 Compare July 11, 2026 23:01
@marcus-pousette marcus-pousette changed the base branch from fix/auth-children-filter-redaction to fix/auth-outbound-read-guard July 11, 2026 23:01
@marcus-pousette marcus-pousette marked this pull request as ready for review July 11, 2026 23:01
@marcus-pousette marcus-pousette force-pushed the fix/atomic-local-auth-proof-handoff branch from 1462d42 to d62a09a Compare July 11, 2026 23:02
@marcus-pousette marcus-pousette added bug Something isn't working area:auth Authorization, capabilities, proofs, signatures, crypto, and privacy area:api Public interfaces, bindings, events, and cross-backend contracts labels Jul 12, 2026
@marcus-pousette marcus-pousette changed the title fix(auth): expose atomic local proof handoff fix(auth): expose local proofs for atomic backend commits Jul 12, 2026
@marcus-pousette marcus-pousette force-pushed the fix/auth-outbound-read-guard branch from 7e254df to fde4928 Compare July 12, 2026 12:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:api Public interfaces, bindings, events, and cross-backend contracts area:auth Authorization, capabilities, proofs, signatures, crypto, and privacy bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant