All notable changes to predicate-authorityd will be documented in this file.
- Bearer token authentication:
/policy/reloadendpoint now supports--policy-reload-secretto requireAuthorization: Bearer <token> - Disable endpoint option:
--disable-policy-reloadreturns 404, requiring sidecar restart for policy changes - Configuration sources: CLI flag, environment variable (
PREDICATE_POLICY_RELOAD_SECRET), and TOML config file
- Policy-driven whitelist: Add
ssrf_whitelistarray to policy JSON/YAML to bypass SSRF protection for specifichost:portendpoints - Multiple configuration sources: CLI (
--ssrf-allow), env var (PREDICATE_SSRF_ALLOW), TOML config, and policy file - Merging behavior: Entries from all sources are combined; exact
host:portmatching limits exemption surface
inject_headersrule field: Auto-inject auth headers for HTTP requests (e.g.,Authorization: Bearer ${GITHUB_TOKEN})inject_envrule field: Auto-inject environment variables for CLI commands (e.g., AWS credentials)- Environment variable substitution: Supports
${VAR}and${VAR:-default}syntax - Zero-trust pattern: Secrets stay on sidecar; agents never see raw credentials
- New policy template:
policies/secret-injection.jsondemonstrates API and CLI credential injection
- Added "Glob
**Directory Matching Footgun" section to policy README - Added SSRF whitelist configuration to user manual and UI docs
- Added policy reload security options to CLI help and documentation
- Path traversal prevention: Added
normalize_path()function in policy engine that resolves.and..components before matching against policy rules - Home directory expansion: Paths starting with
~are expanded to the user's home directory - Automatic normalization for fs. actions*: File system actions (
fs.read,fs.write, etc.) now have their resource paths normalized before policy evaluation
- Defense in depth: Path normalization now happens in both SDK (before sending to sidecar) and sidecar (during policy evaluation), providing layered protection against path traversal attacks
- Adversarial input handling: Inputs like
./workspace/../../../etc/passwdare now correctly resolved to/etc/passwdand matched against deny rules
- Added
path_normalization_testsmodule with tests for:- Path traversal removal
- Redundant slash handling
- Dot component resolution
- Parent directory at root handling
- POST /v1/delegate endpoint: Issue derived mandates with cryptographic provenance linking child mandates to parent authorization
- Scope subset validation: Enforce scope narrowing in delegation chains - child mandates must request equal or narrower scope than parent
- Delegation depth limits: Configurable maximum chain depth (default: 5) to prevent unbounded delegation
- TTL capping: Derived mandate expiration automatically capped to parent's remaining TTL
- Delegation chain hash: Cryptographic verification of delegation chain integrity
- O(1) mandate revocation lookups: HashSet-based revocation cache for instant mandate ID checks
- Sync snapshot extension:
revoked_mandate_idsfield in control-plane sync for cascade revocation support - Revocation cache stats: Extended statistics including mandate revocation counts
src/models/delegation.rs- DelegateRequest, DelegateResponse, DelegateError typessrc/policy/subset.rs- Scope subset validation (is_action_subset, is_resource_subset, is_scope_subset)src/http/delegate.rs- Delegation endpoint handler and DelegationState
AppStatenow supports optionalDelegationStatefor delegation-enabled deploymentsRevocationCacheextended withby_mandate_idfield and mandate-level revocation methodsAuthoritySyncSnapshotextended withrevoked_mandate_idsfor control-plane cascade revocation
See git history for earlier changes.