Skip to content

[codex] fix notary audit scopes#179

Merged
jeremi merged 1 commit into
mainfrom
codex/notary-audit-scopes-178
Jul 2, 2026
Merged

[codex] fix notary audit scopes#179
jeremi merged 1 commit into
mainfrom
codex/notary-audit-scopes-178

Conversation

@jeremi

@jeremi jeremi commented Jul 2, 2026

Copy link
Copy Markdown
Member

Summary

Fixes #178.

  • add scopes_used to EvidenceAuditEvent, defaulting legacy deserialization to an empty list
  • populate request audit events from EvidencePrincipal.scopes
  • emit empty scope lists for background, federation, and public/pre-auth audit events
  • extend Notary audit tests for OIDC and self-attestation request paths

Security-sensitive review notes

This changes the Notary audit record schema and audit envelope contents for REQ-SEC-G-008. The new field records scope names only, not raw bearer tokens, API keys, principal IDs, civil identifiers, or claim values. Existing privacy assertions continue to verify that raw tokens, subject identifiers, and principal IDs are not emitted in the covered audit records. Legacy audit events without scopes_used remain deserializable via #[serde(default)].

Validation

  • cargo fmt
  • cargo fmt --check
  • cargo test --locked -p registry-notary-core audit_
  • cargo test --locked -p registry-notary-server --test standalone_http oidc_mode_verifies_token_from_fixture_idp -- --exact
  • cargo test --locked -p registry-notary-server --test standalone_http oidc_self_attestation_evaluates_renders_and_audits_access_mode -- --exact
  • cargo check --locked -p registry-notary-server --all-targets
  • git diff --check

Subagent review: Echo found no issues. Residual gap noted: no direct assertion that background/federation/public audit constructors serialize scopes_used: []; the constructors are direct and covered by registry-notary-server --all-targets compile checking.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
@jeremi jeremi force-pushed the codex/notary-audit-scopes-178 branch from 9f1190e to fad6409 Compare July 2, 2026 04:41
@jeremi jeremi merged commit 235e3ca into main Jul 2, 2026
10 checks passed
@jeremi jeremi deleted the codex/notary-audit-scopes-178 branch July 2, 2026 04:46

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9f1190e676

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

event_id: Ulid::new().to_string(),
occurred_at,
principal_id_hash: None,
scopes_used: Vec::new(),

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Record federated source scopes in audits

For successful /federation/v1/evaluations calls, the handler builds an EvidencePrincipal from peer.config.source_scopes and uses those scopes to evaluate and return claim results, but this audit constructor always emits an empty scopes_used list. That makes every successful federated evaluation look unscoped in the audit trail even though source scopes were exercised, undermining the required reconstruction of which permission authorized the claim result.

Useful? React with 👍 / 👎.

principal_id_hash: principal.map(|principal| {
Hashed::<PrincipalIdentifier>::from_hash(hasher.hash(&principal.principal_id))
}),
scopes_used: principal.map_or_else(Vec::new, |principal| principal.scopes.clone()),

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Record only checked request scopes

When a credential or OIDC token carries extra scopes beyond the one this route actually checks, this copies every granted scope into scopes_used, including unrelated scopes on successes and denials. For example, claim access is checked against per-claim required scopes and OID4VCI issuance checks the credential-configuration scope, so auditing the whole principal scope set can overstate which permission authorized returned data; record the checked/required scopes for the request instead of the full token/API-key scope list.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

notary: audit record omits the scopes exercised (REQ-SEC-G-008)

1 participant