Skip to content

fix(auth): require document-wide grants for operation writes#188

Open
marcus-pousette wants to merge 2 commits into
auth/op-authored-at-claimsfrom
fix/auth-docwide-writes-only
Open

fix(auth): require document-wide grants for operation writes#188
marcus-pousette wants to merge 2 commits into
auth/op-authored-at-claimsfrom
fix/auth-docwide-writes-only

Conversation

@marcus-pousette

@marcus-pousette marcus-pousette commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

Problem

Authorizing a write from the receiver's current tree ancestry is delivery-order dependent. One peer can accept an operation while its node appears inside a scope, then replay an earlier move that puts it outside; another peer receiving the move first rejects the same operation.

That can create both an authorization bypass and permanent op-set divergence.

What changes

  • Insert, move, payload, delete, and tombstone operations require a document-wide grant: ROOT with no maxDepth or exclusions.
  • An ancestry-scoped write is denied immediately instead of entering pending_context.
  • Stateful scope evaluation remains available for read authorization in this PR.
  • Custom auth implementations with a stable causal witness may still implement their own pending-context policy.
  • Obsolete scoped-write conformance and playground scenarios are removed.

Deployments that previously issued scoped write tokens need a coordinated migration because upgraded peers reject those writes.

Fast paths

  • Document-wide writes take a state-independent check and do not query materialized ancestry.
  • Read scope evaluation is unchanged here.
  • The normal unauthenticated/custom-auth paths are unaffected.

Tests

  • every operation kind requires a document-wide write grant
  • current ancestry cannot make a scoped write valid
  • scoped writes fail closed rather than becoming pending
  • document-wide grants retain normal behavior

The large negative diff is deliberate debloating: unsupported scoped-write tests and demo flows are removed rather than replaced with more machinery.

Stack

Stacked on #157.

@marcus-pousette marcus-pousette force-pushed the fix/auth-docwide-writes-only branch 2 times, most recently from da5ddf4 to bff75b8 Compare July 11, 2026 22:30
@marcus-pousette marcus-pousette added bug Something isn't working area:auth Authorization, capabilities, proofs, signatures, crypto, and privacy labels Jul 12, 2026
@marcus-pousette marcus-pousette force-pushed the auth/op-authored-at-claims branch from ac53060 to 879801d Compare July 12, 2026 12:18
@marcus-pousette marcus-pousette force-pushed the fix/auth-docwide-writes-only branch from db233a2 to d3f633a Compare July 12, 2026 12:18
@marcus-pousette marcus-pousette changed the title fix(auth): reject ancestry-dependent operation scopes fix(auth): require document-wide grants for operation writes Jul 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:auth Authorization, capabilities, proofs, signatures, crypto, and privacy bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant