jpetree331
f97d4845af
Complete RedFlag codebase with two major security audit implementations.
== A-1: Ed25519 Key Rotation Support ==
Server:
- SignCommand sets SignedAt timestamp and KeyID on every signature
- signing_keys database table (migration 020) for multi-key rotation
- InitializePrimaryKey registers active key at startup
- /api/v1/public-keys endpoint for rotation-aware agents
- SigningKeyQueries for key lifecycle management
Agent:
- Key-ID-aware verification via CheckKeyRotation
- FetchAndCacheAllActiveKeys for rotation pre-caching
- Cache metadata with TTL and staleness fallback
- SecurityLogger events for key rotation and command signing
== A-2: Replay Attack Fixes (F-1 through F-7) ==
F-5 CRITICAL - RetryCommand now signs via signAndCreateCommand
F-1 HIGH - v3 format: "{agent_id}:{cmd_id}:{type}:{hash}:{ts}"
F-7 HIGH - Migration 026: expires_at column with partial index
F-6 HIGH - GetPendingCommands/GetStuckCommands filter by expires_at
F-2 HIGH - Agent-side executedIDs dedup map with cleanup
F-4 HIGH - commandMaxAge reduced from 24h to 4h
F-3 CRITICAL - Old-format commands rejected after 48h via CreatedAt
Verification fixes: migration idempotency (ETHOS #4), log format
compliance (ETHOS #1), stale comments updated.
All 24 tests passing. Docker --no-cache build verified.
See docs/ for full audit reports and deviation log (DEV-001 to DEV-019).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
32 lines
1.2 KiB
Go
32 lines
1.2 KiB
Go
package models
|
|
|
|
import (
|
|
"time"
|
|
|
|
"github.com/google/uuid"
|
|
)
|
|
|
|
// SecuritySetting represents a user-configurable security setting
|
|
type SecuritySetting struct {
|
|
ID uuid.UUID `json:"id" db:"id"`
|
|
Category string `json:"category" db:"category"`
|
|
Key string `json:"key" db:"key"`
|
|
Value string `json:"value" db:"value"`
|
|
IsEncrypted bool `json:"is_encrypted" db:"is_encrypted"`
|
|
CreatedAt time.Time `json:"created_at" db:"created_at"`
|
|
UpdatedAt *time.Time `json:"updated_at" db:"updated_at"`
|
|
CreatedBy *uuid.UUID `json:"created_by" db:"created_by"`
|
|
UpdatedBy *uuid.UUID `json:"updated_by" db:"updated_by"`
|
|
}
|
|
|
|
// SecuritySettingAudit represents an audit log entry for security setting changes
|
|
type SecuritySettingAudit struct {
|
|
ID uuid.UUID `json:"id" db:"id"`
|
|
SettingID uuid.UUID `json:"setting_id" db:"setting_id"`
|
|
UserID uuid.UUID `json:"user_id" db:"user_id"`
|
|
Action string `json:"action" db:"action"` // create, update, delete
|
|
OldValue *string `json:"old_value" db:"old_value"`
|
|
NewValue *string `json:"new_value" db:"new_value"`
|
|
Reason string `json:"reason" db:"reason"`
|
|
CreatedAt time.Time `json:"created_at" db:"created_at"`
|
|
} |