Skip to content

security(onboard): replace rebuild recovery flag with authorization receipt #6666

Description

@prekshivyas

Problem

#6665 restores compatible-endpoint credential reuse during an authoritative rebuild by allowing a preflighted, matching pending session to recover its recorded provider. The current handoff is a narrowly validated boolean capability. It should become an explicit, one-shot authorization receipt bound to the exact rebuild target.

The recovery authorization recheck also needs direct concurrency coverage for the TOCTOU cases previously identified in #6634.

Acceptance criteria

  • Mint a provider-recovery authorization receipt only after locked rebuild preflight validates the sandbox, session, gateway, provider, model, and route.
  • Bind and validate the receipt at provider selection and again inside the sandbox and gateway mutation locks.
  • Reject replay, cross-sandbox use, session mismatch, expired or malformed receipts, and foreign or ownerless reservations.
  • Add a concurrent same-sandbox recovery test proving only the reservation owner succeeds.
  • Add a registry-mutation race test proving a foreign reservation introduced after initial selection is rejected inside the mutation locks.
  • Remove the authoritative incomplete-session boolean exception and its temporary lifecycle comment once the receipt is in use.

Context

Follow-up to #6634 and #6665. This issue tracks the durable replacement; #6665 keeps the current exception fail-closed with matching identity, reservation rechecks, and exact-head E2E coverage.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: onboardingOnboarding FSM, provider setup, sandbox launch, or first-run flowarea: securitySecurity controls, permissions, secrets, or hardening

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions