Skip to content
This repository was archived by the owner on Apr 16, 2026. It is now read-only.
This repository was archived by the owner on Apr 16, 2026. It is now read-only.

Add durable audit sink, session JWT tests, and Helm chart #61

Description

@haasonsaas

Context

ASB is the most security-sensitive service in the platform (privileged credential issuance with OIDC attestation) but has critical operational and testing gaps.

Problems

In-memory audit sink (issue #22)

internal/bootstrap/service.go line 114: auditSink := auditmemory.NewSink(). Every audit event (session creation, grant issuance, artifact unwrap, policy decision, approval transition) is lost on pod restart. For a service that handles privileged credential issuance, there is zero durable audit trail in production.

Session JWT manager is untested

internal/crypto/sessionjwt/manager.go is the most security-sensitive path — it signs and verifies session JWTs that gate agent sessions. No test file exists. No tests for:

  • Expired tokens
  • Algorithm confusion (RS256 vs EdDSA)
  • Missing sid/tenant_id claims
  • Tampered payloads

OIDC verifier has minimal tests

Only 2 tests; no coverage for:

  • allowedSubjectPrefixes=[] (bypasses prefix check entirely)
  • Expired tokens
  • Wrong algorithm
  • nbf in the future

No Helm chart (issue #21)

No standardized k8s manifests, resource limits, health probes, PDB, or secrets management.

Requirements

  • Implement durable audit sink backed by shared audit gRPC service (closes Add durable audit pipeline with guaranteed delivery #22)
  • Add retry/buffer for audit events (don't lose events if audit service is temporarily unavailable)
  • Add comprehensive sessionjwt tests: expired, algorithm confusion, missing claims, tampered payload, clock skew
  • Add OIDC verifier boundary tests: empty allowed prefixes, expired, wrong algorithm, nbf in future
  • Add toolregistry unit tests (currently only tested indirectly via service_test.go)
  • Create Helm chart with: resource limits, liveness/readiness/startup probes, PDB, secrets templating (closes Create Kubernetes deployment manifests and Helm chart #21)
  • Add circuit breaker on GitHub and VaultDB connector operations in the grant issuance path
  • Add gosec + golangci-lint to CI workflow

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions