unibus

dataforge/unibus

Fork 0

Commit Graph

Author	SHA1	Message	Date
egutierrez	30577145ce	feat(membershipd): refuse fail-open startup configs Audit H2 (Alto). The binary defaulted to --bus-auth off, the NATS nkey authenticator only turned on under enforce, and TLS was an independent flag. Booting --bind 0.0.0.0 --tls-cert … without --bus-auth enforce left both planes open while looking secure. validateBootConfig is a pure guard, called right after flag parsing, that log.Fatals on two insecure shapes: - a non-loopback --bind without --bus-auth enforce, and - --tls-cert/--tls-key without --bus-auth enforce. An insecure public startup is now impossible (the process exits), so a fail-open data plane never comes up for an unregistered client to reach. TestAudit_FailOpenTLSWithoutAuth plus a full policy table cover golden (public+enforce, dev loopback) and every refused shape. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-07 14:17:37 +02:00

Author

SHA1

Message

Date

egutierrez

30577145ce

feat(membershipd): refuse fail-open startup configs

Audit H2 (Alto). The binary defaulted to --bus-auth off, the NATS nkey
authenticator only turned on under enforce, and TLS was an independent flag.
Booting --bind 0.0.0.0 --tls-cert … without --bus-auth enforce left both
planes open while looking secure.

validateBootConfig is a pure guard, called right after flag parsing, that
log.Fatals on two insecure shapes:
  - a non-loopback --bind without --bus-auth enforce, and
  - --tls-cert/--tls-key without --bus-auth enforce.

An insecure public startup is now impossible (the process exits), so a
fail-open data plane never comes up for an unregistered client to reach.
TestAudit_FailOpenTLSWithoutAuth plus a full policy table cover golden
(public+enforce, dev loopback) and every refused shape.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-07 14:17:37 +02:00

1 Commits