You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adds three new sections to completed.md covering the main themes of the
alpha.2 cycle that were not yet captured:
- Security Hardening: TLS-by-default, panic recovery, rate limiting,
validation limits, audit access enforcement, metadata bounds, gRPC
message size limits, Guard chain, supply chain, Helm hardening
- Schema Publishing: schemas.opendecree.dev via GitHub Pages
- Functional Options Refactor: all 7 constructors across 4 PRs
Closes#306
Copy file name to clipboardExpand all lines: .agents/context/completed.md
+31Lines changed: 31 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -136,6 +136,37 @@ Labels aligned across decree, decree-python, decree-typescript, decree-ui (14 co
136
136
137
137
`decree seed <file>` dispatches on which top-level sections are present (schema-only / tenant-only / schema+tenant / config-only / combined). Config-only files name the target schema via `tenant.schema`; `tenant.schema_version` omitted → latest published version resolved client-side via new `adminclient.GetLatestPublishedSchemaVersion` (walks backward past drafts). Re-seeding identical content is now a no-op on both axes — `ImportConfig` returning `AlreadyExists` is treated as a skip instead of erroring. Tenant-schema mismatches in config-only mode error out rather than silently re-binding. Combined envelope preserved byte-for-byte. Design brief: `.agents/context/seed-decoupling.md`.
138
138
139
+
## Security Hardening (alpha.2 cycle)
140
+
141
+
Seven attack surfaces addressed from the 2026-04-30 pre-release audit:
142
+
143
+
-**TLS-by-default (#230)** — gRPC + gateway enforce TLS; `INSECURE_LISTEN=1` required to opt out. Cert auto-generated if not provided.
144
+
-**Panic recovery (#229)** — unary + stream `panicRecoveryInterceptor` converts panics to `codes.Internal`, logs stack trace; server stays up.
145
+
-**Rate limiting (#216 / #267)** — per-tenant + per-method in-process token-bucket via `golang.org/x/time/rate`. Health check exempt. `OTEL_METRICS_RATE_LIMIT` OTel counter. `Limiter` interface for future Redis backend. LRU-capped at 100k buckets via `WithMaxBuckets` (#287).
146
+
-**Validation limits (#217 / #254 / #256)** — `schema.Limits{MaxFields, MaxDocBytes}` blocks oversized imports at `CreateSchema`/`ImportSchema`. JSON-Schema compile has a configurable timeout + recursive-depth pre-scan to prevent ReDoS.
-**Metadata bounds (#260)** — `x-tenant-id`, `x-subject`, and `x-role` headers capped in length; malformed values return `codes.Unauthenticated` with a safe error message.
149
+
-**gRPC message size limits (#212 / #226)** — `WithMaxRecvMsgBytes` / `WithMaxSendMsgBytes` on both server and gateway; default 4 MB, configurable via env.
150
+
151
+
**Pluggable Guard chain (#269 / #270)** — `authz.Guard` interface + `ChainGuard` replaces ad-hoc per-method checks. `resolveTenantWithAccess` and `errToStatus` extracted from all three service packages into shared helpers.
152
+
153
+
**Supply chain (#266 / #227)** — Docker image and Go binary artifact attestations (Sigstore/SLSA) via GitHub Actions. All base images digest-pinned; non-trusted Actions SHA-pinned. `scripts/check-supply-chain-pins.sh` enforced in CI.
Meta-schemas published to `schemas.opendecree.dev` via GitHub Pages (#263). The `schema-spec.md` design brief documents the schema YAML format and versioning contract for tooling authors.
160
+
161
+
## Functional Options Refactor (alpha.2 cycle)
162
+
163
+
All seven top-level constructors migrated from positional config structs to `With...()` functional options. Required args stay positional; only optional knobs become options. Covered by MIGRATION.md (#275/#323).
0 commit comments