Skip to content

fix: revoke stale egress access#754

Merged
steipete merged 1 commit into
mainfrom
codex/revoke-egress-access
Jul 1, 2026
Merged

fix: revoke stale egress access#754
steipete merged 1 commit into
mainfrom
codex/revoke-egress-access

Conversation

@steipete

@steipete steipete commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • bind mediated-egress tickets and accepted sockets to the server-derived lease principal
  • reauthorize and register sockets atomically with lease-share changes
  • revoke both halves of live or restored sessions when manage access is removed or downgraded
  • fail closed restored legacy egress attachments that have no recoverable principal

Closes #730

Verification

  • npm run format:check --prefix worker
  • npm run lint --prefix worker
  • npm run check --prefix worker
  • npm test --prefix worker (700 tests)
  • npm run build --prefix worker
  • source-blind behavior validation: 6 passed, 0 failed, 0 blocked
  • autoreview: clean, no actionable findings
  • git diff --check

Security and compatibility

  • Egress still requires owner or manage access; use-only access remains insufficient.
  • Admission and share updates use the same coordinator lock, closing the consume-to-register race.
  • Existing principal-less restored egress sockets are closed once with policy code 1008 and must reconnect with a fresh ticket.
  • No credential, configuration, or protocol-message changes.

@steipete steipete merged commit c99a6dc into main Jul 1, 2026
11 checks passed
@steipete steipete deleted the codex/revoke-egress-access branch July 1, 2026 10:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[security] Egress bridges remain usable after lease share revocation

1 participant