jpetree331
f97d4845af
Complete RedFlag codebase with two major security audit implementations.
== A-1: Ed25519 Key Rotation Support ==
Server:
- SignCommand sets SignedAt timestamp and KeyID on every signature
- signing_keys database table (migration 020) for multi-key rotation
- InitializePrimaryKey registers active key at startup
- /api/v1/public-keys endpoint for rotation-aware agents
- SigningKeyQueries for key lifecycle management
Agent:
- Key-ID-aware verification via CheckKeyRotation
- FetchAndCacheAllActiveKeys for rotation pre-caching
- Cache metadata with TTL and staleness fallback
- SecurityLogger events for key rotation and command signing
== A-2: Replay Attack Fixes (F-1 through F-7) ==
F-5 CRITICAL - RetryCommand now signs via signAndCreateCommand
F-1 HIGH - v3 format: "{agent_id}:{cmd_id}:{type}:{hash}:{ts}"
F-7 HIGH - Migration 026: expires_at column with partial index
F-6 HIGH - GetPendingCommands/GetStuckCommands filter by expires_at
F-2 HIGH - Agent-side executedIDs dedup map with cleanup
F-4 HIGH - commandMaxAge reduced from 24h to 4h
F-3 CRITICAL - Old-format commands rejected after 48h via CreatedAt
Verification fixes: migration idempotency (ETHOS #4), log format
compliance (ETHOS #1), stale comments updated.
All 24 tests passing. Docker --no-cache build verified.
See docs/ for full audit reports and deviation log (DEV-001 to DEV-019).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
69 lines
1.4 KiB
Go
69 lines
1.4 KiB
Go
package version
|
|
|
|
import (
|
|
"strconv"
|
|
"strings"
|
|
)
|
|
|
|
// Version represents a semantic version string
|
|
type Version string
|
|
|
|
// Platform represents combined platform-architecture format (e.g., "linux-amd64")
|
|
type Platform string
|
|
|
|
// ParsePlatform converts "linux-amd64" → platform="linux", arch="amd64"
|
|
func ParsePlatform(p Platform) (platform, architecture string) {
|
|
parts := strings.SplitN(string(p), "-", 2)
|
|
if len(parts) == 2 {
|
|
return parts[0], parts[1]
|
|
}
|
|
return string(p), ""
|
|
}
|
|
|
|
// String returns the full platform string
|
|
func (p Platform) String() string {
|
|
return string(p)
|
|
}
|
|
|
|
// Compare returns -1, 0, or 1 for v < other, v == other, v > other
|
|
func (v Version) Compare(other Version) int {
|
|
v1Parts := strings.Split(string(v), ".")
|
|
v2Parts := strings.Split(string(other), ".")
|
|
|
|
maxLen := len(v1Parts)
|
|
if len(v2Parts) > maxLen {
|
|
maxLen = len(v2Parts)
|
|
}
|
|
|
|
for i := 0; i < maxLen; i++ {
|
|
v1Num := 0
|
|
v2Num := 0
|
|
|
|
if i < len(v1Parts) {
|
|
v1Num, _ = strconv.Atoi(v1Parts[i])
|
|
}
|
|
if i < len(v2Parts) {
|
|
v2Num, _ = strconv.Atoi(v2Parts[i])
|
|
}
|
|
|
|
if v1Num < v2Num {
|
|
return -1
|
|
}
|
|
if v1Num > v2Num {
|
|
return 1
|
|
}
|
|
}
|
|
|
|
return 0
|
|
}
|
|
|
|
// IsUpgrade returns true if other is newer than v
|
|
func (v Version) IsUpgrade(other Version) bool {
|
|
return v.Compare(other) < 0
|
|
}
|
|
|
|
// IsValid returns true if version string is non-empty
|
|
func (v Version) IsValid() bool {
|
|
return string(v) != ""
|
|
}
|