Tri-thrust federation hardening + domain generalization + ingest caps#11
Open
mortonanalytics wants to merge 5 commits into
Open
Tri-thrust federation hardening + domain generalization + ingest caps#11mortonanalytics wants to merge 5 commits into
mortonanalytics wants to merge 5 commits into
Conversation
…tes, session race Tri-thrust workflow A-cluster (validated, cargo check + clippy + fmt green): - TT-A01: parameterize critic evidence query (SQLi via signal.evidence event_ids) - TT-A02: reject bindings/subscriptions to non-active peers (route + repo backstop) - TT-A03: re-validate peer + binding status at approval execution time - TT-A04: peers:manage RBAC gate on create/patch/delete/refresh binding routes - TT-A05: fix TOCTOU race in MCP session init (atomic DashMap entry) - TT-C09: 100KB cap on webhook data field (flows into critic LLM prompt) Ledger + dispositions: md/intake/tri-thrust-advance-2026-06-21.md Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ening Tri-thrust workflow security/correctness wave (cargo check + clippy + fmt green): - TT-A06: mcp_client poll fails closed when no Active binding (was falling back to unscoped peer-wide workspace enumeration → C-1 cross-workspace read) - TT-A07: defer subscribe_peer first poll until binding is Active (firstPollDeferred) - TT-C01: 64KiB cap on stream_event payloads at repo choke point (InsertOutcome::Rejected + skipped count in poll response); env override IONE_MAX_STREAM_EVENT_BYTES - TT-C08: bucket_expr returns Option instead of panicking on unvalidated bucket (stream + audit aggregate repos); add minute arm to stream variant Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…earthquake schema TT-B01 (domain-agnostic UX): the map detail panel hardcoded USGS earthquake field names (magnitude/depth/PAGER/place/url). The backend already drives feature properties from operator-declared view_config.property_fields, so: - event_layers.rs: EventLayer now carries the ordered propertyFields name manifest - app.js openEventPopup: renders those fields (in declared order) from feature.properties, auto-linking URL values; removes magnitude/depth/PAGER/place hardcoding and PAGER_LABELS; threads the real layer through both call sites Falls back to all non-internal properties when no manifest is present. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- New md/requirements/active/event-view-schema.md for TT-B01 (domain-agnostic event detail rendering contract) - Update intake ledger: A06/A07/B01/C01/C08 shipped; A03b/A04b/C02 deferred with re-entry gates (capability-probe, InteractionEvent attribution, prompt-injection mitigation approach all need design, not surgical edits) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Cover the shipped guards that lacked tests (live-DB integration, serial): TT-A02 subscribe rejects a non-active peer (400) TT-A04 binding create + delete require peers:manage (403, fail-closed) TT-A07 subscribe defers first poll when no Active binding exists TT-C01 oversized stream-event payloads -> InsertOutcome::Rejected, not stored TT-C09 oversized webhook data rejected at envelope validation 6/6 green against Postgres. Closes the test gap on the security-critical federation fixes before PR. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Tri-thrust advance on IONe's federation substrate (P7 / GroundPulse-substrate framing). Discovery ran as a dynamic workflow (4 rounds, 45 survivors); every landed fix was re-verified in code before editing. 11 validated items shipped + a generalization of the event-detail UI + negative-path regression tests.
Thrust A — federation core hardening
= ANY($1)execute_pending_tool_callpeers:manageRBAC gate on binding create/patch/delete/refreshdashmapentry APImcp_clientfails closed on workspace scope (C-1 cross-workspace leak)Thrust B — domain generalization
propertyFields; drops hardcoded earthquake schema (magnitude/depth/PAGER/place/USGS). Backend ships the field manifest; frontend is now domain-agnostic.Thrust C — ingestion hardening
InsertOutcome::Rejected+skippedcount)bucket_exprpanic →Resultdata100 KiB capPlus
md/requirements/active/event-view-schema.mdand the full intake ledger (md/intake/tri-thrust-advance-2026-06-21.md).Tests
New
tests/federation_hardening_regression_integration.rs— negative-path coverage, 6/6 green against live Postgres (serial,--ignored):create_binding_403_without_peers_managedelete_binding_403_without_peers_managesubscribe_rejects_non_active_peersubscribe_active_peer_defers_first_polloversized_stream_event_is_rejectedoversized_webhook_data_is_rejectedAll shipped code is
cargo check+clippy+fmt+node --checkclean.Not covered (follow-up)
mcp_clientfail-closed are verified in code but not yet integration-tested — both need heavier service-level seeding (encrypted pending-call args; connector construction). Worth a second test pass.Deferred (design-track, see intake ledger)
🤖 Generated with Claude Code