Redflag

Fimeg/Redflag

Fork 0

Commit Graph

Author	SHA1	Message	Date
jpetree331	ee246771dc	test(security): A-3 pre-fix tests for auth middleware coverage bugs Pre-fix test suite documenting 8 auth middleware bugs found during the A-3 recon audit. Tests are written to FAIL where they assert correct post-fix behavior, and PASS where they document current buggy behavior. No bugs are fixed in this commit. Tests added: - F-A3-11 CRITICAL: WebAuthMiddleware leaks JWT secret to stdout (3 tests: secret in output, emoji in output, ETHOS format) - F-A3-7 CRITICAL: Config download requires no auth (2 tests) - F-A3-6 HIGH: Update package download requires no auth (2 tests) - F-A3-10 HIGH: Scheduler stats accepts agent JWT (2 tests) - F-A3-12 MEDIUM: Cross-type JWT token confusion (2 tests) - F-A3-2 MEDIUM: /auth/verify dead endpoint (2 tests) - F-A3-13 LOW: RequireAdmin middleware missing (1 test + 1 build-tagged) - F-A3-9 MEDIUM: Agent self-unregister no rate limit (2 tests) Current state: 10 FAIL, 7 PASS, 1 SKIP (build-tagged), 1 unchanged See docs/A3_PreFix_Tests.md for full inventory. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-28 21:54:48 -04:00
jpetree331	f97d4845af	feat(security): A-1 Ed25519 key rotation + A-2 replay attack fixes Complete RedFlag codebase with two major security audit implementations. == A-1: Ed25519 Key Rotation Support == Server: - SignCommand sets SignedAt timestamp and KeyID on every signature - signing_keys database table (migration 020) for multi-key rotation - InitializePrimaryKey registers active key at startup - /api/v1/public-keys endpoint for rotation-aware agents - SigningKeyQueries for key lifecycle management Agent: - Key-ID-aware verification via CheckKeyRotation - FetchAndCacheAllActiveKeys for rotation pre-caching - Cache metadata with TTL and staleness fallback - SecurityLogger events for key rotation and command signing == A-2: Replay Attack Fixes (F-1 through F-7) == F-5 CRITICAL - RetryCommand now signs via signAndCreateCommand F-1 HIGH - v3 format: "{agent_id}:{cmd_id}:{type}:{hash}:{ts}" F-7 HIGH - Migration 026: expires_at column with partial index F-6 HIGH - GetPendingCommands/GetStuckCommands filter by expires_at F-2 HIGH - Agent-side executedIDs dedup map with cleanup F-4 HIGH - commandMaxAge reduced from 24h to 4h F-3 CRITICAL - Old-format commands rejected after 48h via CreatedAt Verification fixes: migration idempotency (ETHOS #4), log format compliance (ETHOS #1), stale comments updated. All 24 tests passing. Docker --no-cache build verified. See docs/ for full audit reports and deviation log (DEV-001 to DEV-019). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-28 21:25:47 -04:00

Author

SHA1

Message

Date

jpetree331

ee246771dc

test(security): A-3 pre-fix tests for auth middleware coverage bugs

Pre-fix test suite documenting 8 auth middleware bugs found during
the A-3 recon audit. Tests are written to FAIL where they assert
correct post-fix behavior, and PASS where they document current
buggy behavior. No bugs are fixed in this commit.

Tests added:
- F-A3-11 CRITICAL: WebAuthMiddleware leaks JWT secret to stdout
  (3 tests: secret in output, emoji in output, ETHOS format)
- F-A3-7 CRITICAL: Config download requires no auth (2 tests)
- F-A3-6 HIGH: Update package download requires no auth (2 tests)
- F-A3-10 HIGH: Scheduler stats accepts agent JWT (2 tests)
- F-A3-12 MEDIUM: Cross-type JWT token confusion (2 tests)
- F-A3-2 MEDIUM: /auth/verify dead endpoint (2 tests)
- F-A3-13 LOW: RequireAdmin middleware missing (1 test + 1 build-tagged)
- F-A3-9 MEDIUM: Agent self-unregister no rate limit (2 tests)

Current state: 10 FAIL, 7 PASS, 1 SKIP (build-tagged), 1 unchanged
See docs/A3_PreFix_Tests.md for full inventory.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-28 21:54:48 -04:00

jpetree331

f97d4845af

feat(security): A-1 Ed25519 key rotation + A-2 replay attack fixes

Complete RedFlag codebase with two major security audit implementations.

== A-1: Ed25519 Key Rotation Support ==

Server:
- SignCommand sets SignedAt timestamp and KeyID on every signature
- signing_keys database table (migration 020) for multi-key rotation
- InitializePrimaryKey registers active key at startup
- /api/v1/public-keys endpoint for rotation-aware agents
- SigningKeyQueries for key lifecycle management

Agent:
- Key-ID-aware verification via CheckKeyRotation
- FetchAndCacheAllActiveKeys for rotation pre-caching
- Cache metadata with TTL and staleness fallback
- SecurityLogger events for key rotation and command signing

== A-2: Replay Attack Fixes (F-1 through F-7) ==

F-5 CRITICAL - RetryCommand now signs via signAndCreateCommand
F-1 HIGH     - v3 format: "{agent_id}:{cmd_id}:{type}:{hash}:{ts}"
F-7 HIGH     - Migration 026: expires_at column with partial index
F-6 HIGH     - GetPendingCommands/GetStuckCommands filter by expires_at
F-2 HIGH     - Agent-side executedIDs dedup map with cleanup
F-4 HIGH     - commandMaxAge reduced from 24h to 4h
F-3 CRITICAL - Old-format commands rejected after 48h via CreatedAt

Verification fixes: migration idempotency (ETHOS #4), log format
compliance (ETHOS #1), stale comments updated.

All 24 tests passing. Docker --no-cache build verified.
See docs/ for full audit reports and deviation log (DEV-001 to DEV-019).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-28 21:25:47 -04:00

2 Commits