feat: implement Problem 04 Delegatable Auth with simulation and valid…#85
feat: implement Problem 04 Delegatable Auth with simulation and valid…#85mahesh-morde wants to merge 3 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a new “delegatable” auth plugin and an accompanying built-in simulation scenario (“delegated_auth”) to exercise capability delegation with scope narrowing and cascading revocation, plus validators and unit tests to enforce the intended security properties.
Changes:
- Introduces
DelegatableAuth(macaroon-style chained delegation + cascading revocation) as a reference auth plugin and registers it in the plugin registry. - Adds a built-in
delegated_authscenario + YAML configuration and hooks it into the scenario factory loader. - Adds scenario validators and a comprehensive test suite for delegation, revocation, TTL capping, determinism, and audience enforcement.
Reviewed changes
Copilot reviewed 8 out of 10 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| scenarios/delegated_auth.yaml | New scenario definition for delegated auth simulation run. |
| packages/nest-plugins-reference/nest_plugins_reference/auth/delegatable.py | New DelegatableAuth implementation (issue/verify/revoke + delegate). |
| packages/nest-core/tests/test_delegatable_auth.py | New unit tests covering delegated auth behavior and attack resistance. |
| packages/nest-core/nest_core/validators.py | Adds delegated-auth validators and registers them under VALIDATORS["delegated_auth"]. |
| packages/nest-core/nest_core/scenarios.py | Registers delegated_auth built-in scenario loader branch. |
| packages/nest-core/nest_core/scenarios_builtin/delegated_auth.py | New built-in scenario agent fleet implementing the delegation topology. |
| packages/nest-core/nest_core/plugins.py | Registers the new ("auth", "delegatable") plugin mapping. |
| .gitignore | Adds ignores (currently looks unrelated to this PR’s scope). |
| git_log.txt | New file containing a git log snippet (appears unrelated to this PR). |
| git_status.txt | Empty file included in PR context. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| return [ValidationResult( | ||
| "delegated_auth_audience_confusion", | ||
| False, | ||
| "Audience confusion occurred and was rejected" | ||
| )] | ||
| return [ValidationResult("delegated_auth_audience_confusion", True, "No audience confusion observed")] |
| return [ValidationResult( | ||
| "delegated_auth_stale_parent", | ||
| True, | ||
| f"Cascading revocation succeeded (observed {failed_verifications} cascading failures)" | ||
| )] |
| import asyncio | ||
| from typing import Any |
| root_scopes = ["read", "write", "exec", "admin"] | ||
| delegate_scopes = ["read", "write", "exec"] | ||
| leaf_scopes = ["read", "exec"] |
| revokes one intermediary's token; the downstream 4 leaves must fail | ||
| verification. Three adversarial validators check: no scope escalation | ||
| occurred, no stale-parent token was accepted, and no audience confusion. |
| commit bb8e67dad32af0b3b4f25636138628fbe8f7a13f | ||
| Author: mariagorskikh <maria@maritime.sh> | ||
| Date: Mon Jul 6 15:41:26 2026 -0700 | ||
|
|
||
| Add mobile nav menu to the header |
ed61983 to
cebd6fc
Compare
|
Thanks @mahesh-morde. I pulled the branch and ran it, and the core of this is solid: Not ready to merge as-is though. Four things to work through: 1. The validators never fail against the The problem statement is explicit: the validator must FAIL against the default 2. The simulation path is non-deterministic: same seed, different trace bytes.
3. The branch conflicts with main and lint is red. A 3-way merge against current main conflicts in 4. Scope hygiene and the PR body. The Suggested path forward:
Leaving this open. Ping me on the hackathon channel if the validator-discrimination pattern is unclear; the |
d40e62d to
32b528f
Compare
|
Hi @dhve , thanks for the detailed review and guidance! I've just pushed a new commit addressing all four of your points.
Let me know if there's anything else needed before we merge! |
32b528f to
4feebbb
Compare
feat: implement Problem 04 Delegatable Auth with simulation and valid…