IDENTITY CONTROL PLANE / K20

同一主体、两个客户端、两次撤销,下一请求全部拒绝

K20 不再只展示单元测试:它启动精确 Auth 二进制,签发 developer-portal 与 order-web 两条独立会话,并调用两个仓库中的真实消费端代码完成 ALLOW → REVOKE → DENY。证据可重复、无 token 残留,但不冒充生产邮箱 OTP。

CONTROLLED JOURNEY PROVEN真实 Auth 与两个消费端已完成 allow → revoke → next-request deny

同一合成主体跨两个 client 保持身份一致,但会话、scope 与撤销严格隔离。真实生产邮箱 OTP、其他资源服务器、产品会话 UI 与签名密钥轮换仍保持独立阻断门。

PRODUCTION OTP PENDING
EXACT RELEASE89acdf1source = production
CONTROLS2910 K17 + 8 K18 + 6 K19 + 5 K20
SOURCE CHECKS51contracts + witness assertions
JOURNEY ASSERTIONS172 clients · 2 receipts · 2 deny
PRODUCT UI PROVEN0G5 remains blocked

CURRENT RELEASE TRACE

代码、迁移、权限、运行与外网回执绑定到一个版本

只有明确核实的生产事实进入 CURRENT。生产迁移使用 operator 身份;运行账户只有 SELECT / INSERT / UPDATE / DELETE,没有 DDL 或授权权限。

01GITEA MAIN89acdf1

session code + migration

02MYSQL2 tables

sessions + append-only events

03RUNTIME127.0.0.1:8095

least privilege · loopback

04READINESS2 / 2

im-core + registry ready

05PUBLIC EDGEauth.reits.tech

TLS · HSTS · no-store

K20 REVOCATION JOURNEY CONSOLE

一张可以复跑、审计和定位失败步骤的真实旅程工作台

UI 直接绑定本次跨进程运行证据:Auth、Open Platform 与 Booking 都是精确仓库代码;只有用户身份与凭证使用合成数据。生产 OTP 未发送,因此 G8 仍保持 PARTIAL。

ALL ASSERTIONS PASSED17 / 17
EVIDENCE CLASScontrolled-cross-processGENERATED2026-07-17 05:01:58ZSHA-256d8096e7755a65a96PRODUCTION OTPNOT TRIGGERED
EXECUTION LANES

从签发到下一请求拒绝

positive cache 0s
01
Open Platform Developer APIfa9283d · developer-portal · developer:write
PASS
1ISSUESESSIONpreview providerdev_code absent
2BEFOREALLOWauthorizedreal consumer
3AUTHREVOKEevt_a9301caa4f1a7creceipt persisted
4NEXT REQUESTDENYsession_inactiverefresh also 401
02
Booking member / merchant API83d31a0 · order-web · order:write
PASS
1ISSUESESSIONpreview providerdev_code absent
2BEFOREALLOWauthorizedreal consumer
3AUTHREVOKEevt_ad97528be984ccreceipt persisted
4NEXT REQUESTDENYauth_session_inactiverefresh also 401
Auth introspectionactive=false × 2
Bounded refresh401 reauthentication_required × 2
Secret handlingtoken never persisted / logged / evidenced
IDControlRuntime decisionEvidenceStatus
AUTH-JRN-01Exact cross-process code

启动 reits-auth 89acdf1,并调用两个仓库中的真实消费端实现,而不是复制策略 mock

witness source revisions + 17 assertionsPASS
AUTH-JRN-02Two client sessions

同一合成主体分别签发 developer-portal 与 order-web 会话;audience/scope 不跨客户端复用

same principal + two session refsPASS
AUTH-JRN-03Allow → revoke → deny

每条 lane 先得到 ALLOW,再写入 revoke receipt,随后下一次消费端请求得到 typed deny

2 allow + 2 receipts + 2 denyPASS
AUTH-JRN-04Client isolation

撤销 developer-portal 会话后,order-web 会话仍保持 active,直到自身被撤销

client-isolation assertionPASS
AUTH-JRN-05No credential residue

仅允许 loopback HTTP;token 不持久化、不记录、不进入证据;challenge 不暴露 dev_code

loopback guards + redaction assertionsPASS

K19 CONSUMER AUTHORIZATION WORKBENCH

把一次保护请求拆成可检查、可拒绝、可追踪的五步判定

K19 的单请求判定蓝图继续保留,用于产品实现 client、scope、subject 与 object 的逐层解释;K20 控制台则负责真实跨进程撤销证据。

DETERMINISTIC UI FIXTURE · PRODUCTION POLICY

策略来自 Open Platform fb1a1b4 与 Booking 83d31a0;生产 smoke 仅使用无效 token,没有创建真实 OTP 用户。

positive cache 0s
AUTHORIZATION DECISION / TRACE

Publish miniapp release

req_k19_A71C
  1. 01
    Resolve route policy

    developer-portal + developer:write

    MATCH
  2. 02
    Introspect Auth session

    active · sid ses_k19 · no positive cache

    ACTIVE
  3. 03
    Bind principal

    uid 42 + email → developer account

    BOUND
  4. 04
    Authorize object

    app.owner_id = account.id

    OWNER
  5. 05
    Execute + receipt

    publish only after every guard passes

    ALLOW
FINAL DECISIONALLOW

所有边界通过后才调用 publish handler;对象 owner 规则没有被 scope 替代。

latency
fixture 34 ms
receipt
dec_demo_91B2
Consumer / releaseClientRead / writeSubject bindingObject boundaryRevocation / readinessState
Open Platform Developer APIsource fa9283d · runtime fb1a1b4developer-portaldeveloper:readdeveloper:write

im_core_uid + email → developer account

app.owner_id

K20 allow→revoke→next-request denyMySQL + Auth

DEPLOYED
Booking member / merchant API83d31a0order-weborder:readorder:write

email or stored im_core_uid

member → project / tenant / owner

K20 allow→revoke→deny; bounded refreshAuth session authority

DEPLOYED
OpenSDK bot / host integrationse50cb8aindependent bot tokenconsumer-specificconsumer-specific

not reits-auth user session

host/app binding

separate credential lifecyclenot in K19 first slice

NOT-AUDITED
Other resource serversmust be registeredmust be declaredmust be declared

must be bound

tenant + resource owner

must introspect or consume revoke eventmust include Auth when protected

TARGET

K19 CONSUMER CONTROL MATRIX

六项消费端控制已经从代码走到公网运行

PASS 只覆盖本刀选择的 Open Platform 与 Booking;不会外推成 OpenSDK 或所有资源服务器都已完成。

ID / serviceControlRuntime decisionEvidenceStatus
AUTH-CON-01Open PlatformPer-request active session

每个受保护请求直连 Auth introspection;正向缓存 0 秒

fa9283d · no-cache contract · K20 cross-process witnessPASS
AUTH-CON-02Open PlatformExact client + route scope

client=developer-portal;GET apps 需 developer:read;所有 create/upload/publish 需 developer:write

route middleware + wrong-client/scope negativesPASS
AUTH-CON-03Open PlatformAccount + app ownership

Auth subject 映射 developer account;presign/upload/publish 继续校验 app owner

request context subject + ensureOwnerPASS
AUTH-CON-04BookingLocal session cannot outlive Auth

本地 tok_* 先解析但不信任;Auth active 后才进入 member/project/tenant owner 规则

83d31a0 · member preflight · K20 cross-process witnessPASS
AUTH-CON-05BookingBounded refresh + subject binding

过期 access 最多刷新一次;client=order-web;GET/HEAD 需 order:read,写请求需 order:write;email/IM UID 防漂移

9 Node contract results · production invalid-token sidecarPASS
AUTH-CON-06Edge / readinessDependency-aware fail closed

inactive=401、client/scope/subject=403、Auth unavailable=503;公共只读接口不被身份故障拖垮

openapi/order ready · Nginx public readiness · exact releasePASS

SESSION REGISTRY WORKBENCH

真正可开发的会话管理 UI,而不是概念卡片

参考成熟云控制台的信息密度与破坏性操作分层:先展示当前会话和会话边界,再通过确认层执行撤销,最后给出可复制的审计回执。这里使用确定性样例来定义 UI,不代表生产已有用户数据。

UI FIXTURE · NOT PRODUCTION DATA

生产审计时 auth_sessions = 0、auth_session_events = 0;未执行真实邮箱 OTP,因此下方两个会话仅用于设计与开发验收。

boundary 1784259900
PERSONAL SECURITY / SESSIONS

设备与会话

查看当前应用会话,并撤销不再使用的会话。撤销后,下一次 Auth 校验立即拒绝。

当前客户端Open Platformsubject + client 隔离
活跃会话2 / 20超额自动撤销最旧记录
最长边界24hrefresh 不延长总边界
数据来源Auth设备字段尚未联邦关联
活跃会话仅显示当前 subject 与 client
当前浏览器Open Platform · ses_7F2A
创建刚刚剩余23h 58mCURRENT
设备信息待联邦关联Open Platform · ses_1C9D
创建昨天 09:42剩余6h 14mACTIVE
为什么没有设备名、IP 和浏览器?

当前 Auth API 不采集这些字段。目标产品必须通过受控联邦适配器关联 im-core DeviceSession;不得从 User-Agent 猜测并写成 CURRENT。

查看字段与证据 Gate →
01READY

真实密度、当前会话、操作边界

02EMPTY

解释没有活跃记录,不制造设备

03CONFIRM

对象、影响、保留项与二次确认

04SUCCESS

回执、结果和下一步可见

05DEPENDENCY-ERROR

registry 不可用时禁止撤销与刷新

K18 SESSION CONTROL MATRIX

八项会话变化从代码一路追到生产

PASS 表示 Auth 服务控制已实现;消费端覆盖以 K19 独立矩阵为准,也不会把本页设计稿当成产品 UI。

ID / domainControlBeforeCurrentEvidenceStatus
AUTH-SES-01RegistryDurable session liveness

JWT 自证存活

auth_sessions 是 refresh/introspect/me 的在线权威;缺失、撤销、过期或不可用均 fail-closed

MySQL migration + API testsPASS
AUTH-SES-02IssuancePersist before token return

签名后直接返回

会话成功持久化后才向调用方返回 JWT

issue/store failure testsPASS
AUTH-SES-03RevocationImmediate Auth propagation

只能等待 token 到期

单会话、当前会话和其他会话撤销立即作用于 refresh/introspect/me

revoke propagation testsPASS
AUTH-SES-04IsolationSubject + client inventory boundary

无会话列表

只列出当前 subject 与 client 的会话;不臆造设备、IP、UA

ownership/client negative testsPASS
AUTH-SES-05AuditAppend-only safe receipts

无撤销回执

create/revoke/noop 写入 auth_session_events;不记录 token、IP 或 User-Agent

event table + idempotency testsPASS
AUTH-SES-06CapacityActive-session bound

会话数量无上限

每 subject + client 最多 20 个;始终保留最新并自动撤销最旧超额会话

cap concurrency testsPASS
AUTH-SES-07MigrationBounded K17 enrollment

上线会使全部已有会话失效

只允许边界后的 K17 完整 claim 首次自注册;旧 Preview token 永不补录

boundary/legacy negative testsPASS
AUTH-SES-08OperationsLeast-privilege runtime

运行身份与迁移职责未分离

DDL 由 operator 执行;Auth 账户仅 SELECT/INSERT/UPDATE/DELETE;readiness 检查 registry

production grants + sidecar + external smokePASS

K17 SECURITY FOUNDATION

展开十项底层安全控制

Preview fail-closed、OTP abuse bound、JWT boundary、readiness 与 immutable release。
ID / domainControlBeforeCurrentEvidenceStatus
AUTH-CFG-01RuntimeProduction configuration preflight

单个开关可启用 preview

环境、监听、上游、密钥、TTL、preview 组合不安全即拒绝启动

Config.Validate + ExecStartPrePASS
AUTH-CFG-02RuntimeLoopback-only service

*:8095

127.0.0.1:8095,只通过 Nginx TLS 暴露

EC2 socket + exact releasePASS
AUTH-OTP-01ChallengePreview bypass removal

allow/override/dev_code/fixed code 全开

production 四项全部关闭,phone/wallet preview unavailable

/v1/meta + negative smokePASS
AUTH-OTP-02ChallengeChallenge abuse bound

无创建频率与失败次数上限

每 client/kind/subject 5 次/10 分钟;单 challenge 最多 5 次失败

race tests + external negativePASS
AUTH-JWT-01TokenIssuer / audience / client binding

仅验 HS256 签名与 exp

固定 header、iss、aud=client、registered client、subject、sid、iat/exp

cross-audience negative testPASS
AUTH-JWT-02TokenBounded session refresh

过期 access token 可无明确边界刷新

1h access、24h refresh_exp,刷新保留 sid/auth_time 且不能延长总边界

refresh boundary testsPASS
AUTH-API-01APISafe request/response envelope

query token、宽松 JSON、内部 URL metadata

Bearer/POST only、strict JSON、no-store、request ID、内部 URL 脱敏

handler negative tests + public metaPASS
AUTH-API-02APICompatibility profile binding

caller header 可参与 profile 选择

route 固定 client/kind;显式 browser Origin 必须在 client allowlist

profile escalation negative testPASS
AUTH-OPS-01OperationsLiveness / readiness split

health 同时混入上游状态

/healthz 只测进程;/readyz 同时要求 im-core 与 session-registry

local + external smokePASS
AUTH-OPS-02OperationsHardened release runtime

可变 current 目录、弱 systemd sandbox

immutable release、配置备份、回滚目录、systemd sandbox、HSTS

release 89acdf1 + service journalPASS

IDENTITY SCREEN READINESS

七张 UI 按能力逐页归位

PARTIAL CURRENT 表示后端能力存在,不表示目标 UI 已在产品仓实现。会话页本刀新增的是开发蓝图,G5 仍 fail-closed。

01
platform-auth-signin

统一登录选择

PARTIAL CURRENT
CURRENT IMPLEMENTATION
  • 真实 im-core 邮箱 OTP
  • client/kind/origin 边界
  • 生产 Preview fail-closed
MISSING / TARGET
  • 企业身份
  • 多身份选择 UI
  • 完整返回上下文 consumer evidence
02
platform-auth-otp

OTP 验证

PARTIAL CURRENT
CURRENT IMPLEMENTATION
  • challenge create/verify
  • 600s TTL
  • 创建限流与五次失败锁定
MISSING / TARGET
  • 持久化/多实例 challenge
  • 真实 OTP E2E artifact
  • 重发/倒计时/a11y UI fixture
03
platform-auth-mfa

强认证

TARGET ONLY
CURRENT IMPLEMENTATION

没有可登记的产品能力。

MISSING / TARGET
  • Passkey
  • 认证器
  • 可信设备确认
  • 恢复码
  • 高风险动作 step-up
04
platform-auth-sessions

设备与会话

PARTIAL CURRENT
CURRENT IMPLEMENTATION
  • MySQL durable Session Registry
  • 会话列表与 current/single/others revoke
  • 撤销事件回执与 20 会话上限
  • K17 有界迁移
  • Booking / Open Platform 下一请求传播
  • K20 受控跨进程 allow→revoke→deny 见证
MISSING / TARGET
  • 产品会话管理 UI
  • 设备/IP/UA 与 im-core 联邦关联
  • 其他资源服务器传播
  • 签名密钥轮换
  • 经授权的生产邮箱 OTP 会话旅程
06
platform-auth-recovery

账号恢复

TARGET ONLY
CURRENT IMPLEMENTATION

没有可登记的产品能力。

MISSING / TARGET
  • 可信设备恢复
  • 安全等待期
  • 人工复核
  • 恢复状态与保留策略
07
platform-forbidden

无权限与受限资源

PARTIAL CURRENT
CURRENT IMPLEMENTATION
  • issuer/audience/client 拒绝
  • Origin 拒绝
  • 撤销/缺失 session_inactive
  • 安全 401/403/503 envelope
  • Open Platform app owner + Booking project/tenant owner
MISSING / TARGET
  • 统一 AuthorizationDecision schema
  • 访问申请
  • 组织角色关系
  • 全资源服务器覆盖

EXECUTABLE FLOWS

六条链路定义安全边界

01

Production email OTP

  1. Client + allowed route
  2. subject limiter
  3. im-core send/check
  4. login-user
  5. persist session
  6. bound JWT
FAIL-CLOSED

任何上游或 registry 失败都不能返回 token 或回退 fixed code

02

Durable issue / refresh

  1. Verify claims
  2. Find active session
  3. Match client/subject/scopes
  4. Enforce refresh_exp
  5. Cap new exp
  6. Return bounded JWT
FAIL-CLOSED

数据库不可用、记录缺失或边界不匹配一律 session_inactive

03

Inventory / revoke

  1. Authenticate current session
  2. List same subject + client
  3. Confirm impact
  4. Revoke one/current/others
  5. Append receipt
  6. Deny next Auth use
FAIL-CLOSED

撤销幂等;不跨 client,不把 token/IP/UA 写入事件

04

Release / rollback

  1. Exact Gitea SHA
  2. Operator migration
  3. Least-privilege preflight
  4. Side-port checks
  5. Atomic current switch
  6. External smoke
FAIL-CLOSED

失败恢复 env/unit/nginx/current;additive schema 可留存

05

Consumer authorization

  1. Resolve client + route scope
  2. Introspect active session
  3. Bind local subject
  4. Check tenant / object owner
  5. Execute or typed deny
FAIL-CLOSED

无正向撤销缓存;401/403/503 不混淆;Auth 故障不允许保护操作继续

06

Cross-process revocation witness

  1. Start exact Auth binary
  2. Issue two client sessions
  3. Run real consumer allow
  4. Revoke each session
  5. Run next-request deny
  6. Verify refresh/introspection deny
FAIL-CLOSED

仅 loopback staging;token 不落盘/日志/证据;不能冒充生产 OTP 证明

G1–G8 EVIDENCE

六道通过,一道部分,一道阻断

G4 已加入 K20 的 17/17 跨进程断言;G5 仍没有产品仓 UI 证据,G8 仍缺经授权的生产邮箱 OTP 旅程,因此 Identity 不能标成 production proven。

G1PASS

Scope

K20 controlled journey · Auth + 2 consumer repos · 7 Screen ID impact

G2PASS

Static

gofmt · go vet · static build · config/store check

G3PASS

Unit

15 Auth race tests + two loopback witness guards · registry/revoke/migration negatives

G4PASS

Contract

K19 17 consumer checks + K20 17/17 cross-process assertions;two client lanes

G5BLOCKED

Experience

本页为 UI fixture;7 个产品 UI 九态、visual、a11y、interaction 尚未接入

G6PASS

Security

preview/audience/origin/registry/ownership/revoke/legacy-enroll negatives

G7PASS

Release

exact SHA · additive migration · least privilege · immutable rollback

G8PARTIAL

Production

精确代码受控旅程已通过;生产 release/readiness 正常;仍未获授权执行真实邮箱 OTP 用户旅程

NEXT KNIFE / K21

Approved Production Synthetic & Key Rotation

在明确授权和清理回执下执行生产邮箱 OTP synthetic,补签名密钥轮换/双钥验证,并把同一撤销契约扩展到剩余资源服务器;产品会话 UI 继续通过 visual/a11y/interaction gate。

打开 Session Packet