Web Console: Authorization, RBAC, secret redaction, and audit model (Phase 1) #633

Open
opened 2026-07-10 14:38:26 -05:00 by jcwalker3 · 1 comment
Owner

Problem statement

MVP deployment boundary (#435) documents internal-only serving but does not define a complete console authorization, RBAC, secret redaction, audit history, retention, and privileged-action control model for multi-role operators and future gated writes.

User and operational impact

Without this model, Phase 2 actions (restart, workflow initiation) and Phase 3 policy editing cannot land safely. Audit gaps make contaminated or privileged sessions unreviewable.

Scope

  • Define identity sources (local/dev, SSO/Access later) and role matrix: viewer, operator, controller, admin.
  • Map console actions to MCP capability equivalents and confirmation requirements.
  • Secret redaction policy for APIs, HTML, logs, and audit payloads.
  • Audit event schema: who, what, when, target, result, correlation ids.
  • Retention and privileged-action controls (break-glass, dual-control where needed).
  • Extend or replace #435 docs; wire hooks for future gated actions (#434 evolution).

Explicit non-goals

  • Do not implement full SSO product.
  • Do not enable browser merges/approvals.
  • Do not store tokens in frontend or committed config.

Required implementation investigation

webui/deployment_boundary.py, docs/webui-deployment.md, docs/credential-isolation.md, docs/safety-model.md, gitea_audit.py, profile model, #435, #434, #631.

Proposed architecture or implementation direction

  • Server-side auth middleware; roles as config + fail-closed default deny for writes.
  • Reuse MCP operation categories as capability vocabulary where possible.
  • Append-only audit log (file or control-plane DB) with redaction pass before persistence.

Security and workflow-safety requirements

Fail closed on missing auth for non-public health probes if configured; always redact secrets; privileged actions require explicit capability + audit.

Acceptance criteria

  1. Written RBAC matrix and privileged-action list.
  2. Redaction rules documented and unit-tested for sample payloads.
  3. Audit event schema with required fields and retention defaults.
  4. Integration points defined for Phase 2 action framework.
  5. Local-dev mode documented with explicit insecurity warnings.

Required tests

  • Redaction unit tests (token, keychain, password patterns).
  • Default-deny for unauthenticated write stubs.
  • Audit record creation for a simulated privileged preview.

Observability and audit requirements

Auth failures and privileged attempts are auditable without leaking secrets.

Dependencies and linkage

Canonical issue state

STATE: ready-for-author
WHO_IS_NEXT: author
NEXT_ACTION: Implement auth/audit model docs + minimal hooks/tests
NEXT_PROMPT: Author claims this issue only; deliver RBAC/redaction/audit schema and tests; open PR; stop

Required final evidence

PR with docs, schema, tests; no production secrets.

Required final response and handoff expectations

Brief status + PR; reviewer validates fail-closed and redaction.

## Problem statement MVP deployment boundary (#435) documents internal-only serving but does not define a complete console **authorization, RBAC, secret redaction, audit history, retention, and privileged-action control** model for multi-role operators and future gated writes. ## User and operational impact Without this model, Phase 2 actions (restart, workflow initiation) and Phase 3 policy editing cannot land safely. Audit gaps make contaminated or privileged sessions unreviewable. ## Scope * Define identity sources (local/dev, SSO/Access later) and role matrix: viewer, operator, controller, admin. * Map console actions to MCP capability equivalents and confirmation requirements. * Secret redaction policy for APIs, HTML, logs, and audit payloads. * Audit event schema: who, what, when, target, result, correlation ids. * Retention and privileged-action controls (break-glass, dual-control where needed). * Extend or replace #435 docs; wire hooks for future gated actions (#434 evolution). ## Explicit non-goals * Do not implement full SSO product. * Do not enable browser merges/approvals. * Do not store tokens in frontend or committed config. ## Required implementation investigation `webui/deployment_boundary.py`, `docs/webui-deployment.md`, `docs/credential-isolation.md`, `docs/safety-model.md`, `gitea_audit.py`, profile model, #435, #434, #631. ## Proposed architecture or implementation direction * Server-side auth middleware; roles as config + fail-closed default deny for writes. * Reuse MCP operation categories as capability vocabulary where possible. * Append-only audit log (file or control-plane DB) with redaction pass before persistence. ## Security and workflow-safety requirements Fail closed on missing auth for non-public health probes if configured; always redact secrets; privileged actions require explicit capability + audit. ## Acceptance criteria 1. Written RBAC matrix and privileged-action list. 2. Redaction rules documented and unit-tested for sample payloads. 3. Audit event schema with required fields and retention defaults. 4. Integration points defined for Phase 2 action framework. 5. Local-dev mode documented with explicit insecurity warnings. ## Required tests * Redaction unit tests (token, keychain, password patterns). * Default-deny for unauthenticated write stubs. * Audit record creation for a simulated privileged preview. ## Observability and audit requirements Auth failures and privileged attempts are auditable without leaking secrets. ## Dependencies and linkage * Parent: #631 * Extends: #435, #434 * Soft-blocks: Phase 2 action issues * Related: #630 contamination classification ## Canonical issue state ```text STATE: ready-for-author WHO_IS_NEXT: author NEXT_ACTION: Implement auth/audit model docs + minimal hooks/tests NEXT_PROMPT: Author claims this issue only; deliver RBAC/redaction/audit schema and tests; open PR; stop ``` ## Required final evidence PR with docs, schema, tests; no production secrets. ## Required final response and handoff expectations Brief status + PR; reviewer validates fail-closed and redaction.
jcwalker3 added the type:featurestatus:readyworkflow-hardeningdashboardsafety labels 2026-07-10 14:38:26 -05:00
Author
Owner

Canonical Issue State

STATE:
ready-for-author

WHO_IS_NEXT:
author

NEXT_ACTION:
Implement Phase 1 auth/audit model; link PR to #652 and #653; soft-depends on #632

NEXT_PROMPT:

AUTHOR prgs Gitea-Tools. Implement #633. Vision #652 · Roadmap #653 Phase 1 · Umbrella #631. Lock issue; branches/ worktree; PR; stop. Closing ≠ vision complete.

WHAT_HAPPENED:
Linked to vision #652 and roadmap #653 Phase 1. Issue not recreated.

WHY:
Initial implementation batch linkage.

RELATED_ISSUES:
#652 #653 #631 #632 #435 #434 #630

RELATED_PRS:
none

BLOCKERS:
none

VALIDATION:
existing issue retained

LAST_UPDATED_BY:
jcwalker3 / prgs-author / author / 2026-07-10

## Canonical Issue State STATE: ready-for-author WHO_IS_NEXT: author NEXT_ACTION: Implement Phase 1 auth/audit model; link PR to #652 and #653; soft-depends on #632 NEXT_PROMPT: ```text AUTHOR prgs Gitea-Tools. Implement #633. Vision #652 · Roadmap #653 Phase 1 · Umbrella #631. Lock issue; branches/ worktree; PR; stop. Closing ≠ vision complete. ``` WHAT_HAPPENED: Linked to vision #652 and roadmap #653 Phase 1. Issue not recreated. WHY: Initial implementation batch linkage. RELATED_ISSUES: #652 #653 #631 #632 #435 #434 #630 RELATED_PRS: none BLOCKERS: none VALIDATION: existing issue retained LAST_UPDATED_BY: jcwalker3 / prgs-author / author / 2026-07-10
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Scaled-Tech-Consulting/Gitea-Tools#633