IDENTITY CONTROL PLANE / K20
同一主体、两个客户端、两次撤销,下一请求全部拒绝
K20 不再只展示单元测试:它启动精确 Auth 二进制,签发 developer-portal 与 order-web 两条独立会话,并调用两个仓库中的真实消费端代码完成 ALLOW → REVOKE → DENY。证据可重复、无 token 残留,但不冒充生产邮箱 OTP。
同一合成主体跨两个 client 保持身份一致,但会话、scope 与撤销严格隔离。真实生产邮箱 OTP、其他资源服务器、产品会话 UI 与签名密钥轮换仍保持独立阻断门。
CURRENT RELEASE TRACE
代码、迁移、权限、运行与外网回执绑定到一个版本
只有明确核实的生产事实进入 CURRENT。生产迁移使用 operator 身份;运行账户只有 SELECT / INSERT / UPDATE / DELETE,没有 DDL 或授权权限。
session code + migration
sessions + append-only events
least privilege · loopback
im-core + registry ready
TLS · HSTS · no-store
K20 REVOCATION JOURNEY CONSOLE
一张可以复跑、审计和定位失败步骤的真实旅程工作台
UI 直接绑定本次跨进程运行证据:Auth、Open Platform 与 Booking 都是精确仓库代码;只有用户身份与凭证使用合成数据。生产 OTP 未发送,因此 G8 仍保持 PARTIAL。
从签发到下一请求拒绝
fa9283d · developer-portal · developer:writeauthorizedreal consumerevt_a9301caa4f1a7c…receipt persistedsession_inactiverefresh also 40183d31a0 · order-web · order:writeauthorizedreal consumerevt_ad97528be984cc…receipt persistedauth_session_inactiverefresh also 401AUTH-JRN-01Exact cross-process code启动 reits-auth 89acdf1,并调用两个仓库中的真实消费端实现,而不是复制策略 mock
witness source revisions + 17 assertionsPASSAUTH-JRN-02Two client sessions同一合成主体分别签发 developer-portal 与 order-web 会话;audience/scope 不跨客户端复用
same principal + two session refsPASSAUTH-JRN-03Allow → revoke → deny每条 lane 先得到 ALLOW,再写入 revoke receipt,随后下一次消费端请求得到 typed deny
2 allow + 2 receipts + 2 denyPASSAUTH-JRN-04Client isolation撤销 developer-portal 会话后,order-web 会话仍保持 active,直到自身被撤销
client-isolation assertionPASSAUTH-JRN-05No credential residue仅允许 loopback HTTP;token 不持久化、不记录、不进入证据;challenge 不暴露 dev_code
loopback guards + redaction assertionsPASSK19 CONSUMER AUTHORIZATION WORKBENCH
把一次保护请求拆成可检查、可拒绝、可追踪的五步判定
K19 的单请求判定蓝图继续保留,用于产品实现 client、scope、subject 与 object 的逐层解释;K20 控制台则负责真实跨进程撤销证据。
Publish miniapp release
req_k19_A71C- 01Resolve route policyMATCH
developer-portal + developer:write
- 02Introspect Auth sessionACTIVE
active · sid ses_k19 · no positive cache
- 03Bind principalBOUND
uid 42 + email → developer account
- 04Authorize objectOWNER
app.owner_id = account.id
- 05Execute + receiptALLOW
publish only after every guard passes
所有边界通过后才调用 publish handler;对象 owner 规则没有被 scope 替代。
- latency
- fixture 34 ms
- receipt
- dec_demo_91B2
source fa9283d · runtime fb1a1b4developer-portaldeveloper:readdeveloper:writeim_core_uid + email → developer account
app.owner_id
K20 allow→revoke→next-request denyMySQL + Auth
DEPLOYED83d31a0order-weborder:readorder:writeemail or stored im_core_uid
member → project / tenant / owner
K20 allow→revoke→deny; bounded refreshAuth session authority
DEPLOYEDe50cb8aindependent bot tokenconsumer-specificconsumer-specificnot reits-auth user session
host/app binding
separate credential lifecyclenot in K19 first slice
NOT-AUDITED—must be registeredmust be declaredmust be declaredmust be bound
tenant + resource owner
must introspect or consume revoke eventmust include Auth when protected
TARGETK19 CONSUMER CONTROL MATRIX
六项消费端控制已经从代码走到公网运行
PASS 只覆盖本刀选择的 Open Platform 与 Booking;不会外推成 OpenSDK 或所有资源服务器都已完成。
AUTH-CON-01Open PlatformPer-request active session每个受保护请求直连 Auth introspection;正向缓存 0 秒
fa9283d · no-cache contract · K20 cross-process witnessPASSAUTH-CON-02Open PlatformExact client + route scopeclient=developer-portal;GET apps 需 developer:read;所有 create/upload/publish 需 developer:write
route middleware + wrong-client/scope negativesPASSAUTH-CON-03Open PlatformAccount + app ownershipAuth subject 映射 developer account;presign/upload/publish 继续校验 app owner
request context subject + ensureOwnerPASSAUTH-CON-04BookingLocal session cannot outlive Auth本地 tok_* 先解析但不信任;Auth active 后才进入 member/project/tenant owner 规则
83d31a0 · member preflight · K20 cross-process witnessPASSAUTH-CON-05BookingBounded refresh + subject binding过期 access 最多刷新一次;client=order-web;GET/HEAD 需 order:read,写请求需 order:write;email/IM UID 防漂移
9 Node contract results · production invalid-token sidecarPASSAUTH-CON-06Edge / readinessDependency-aware fail closedinactive=401、client/scope/subject=403、Auth unavailable=503;公共只读接口不被身份故障拖垮
openapi/order ready · Nginx public readiness · exact releasePASSSESSION REGISTRY WORKBENCH
真正可开发的会话管理 UI,而不是概念卡片
参考成熟云控制台的信息密度与破坏性操作分层:先展示当前会话和会话边界,再通过确认层执行撤销,最后给出可复制的审计回执。这里使用确定性样例来定义 UI,不代表生产已有用户数据。
设备与会话
查看当前应用会话,并撤销不再使用的会话。撤销后,下一次 Auth 校验立即拒绝。
ses_7F2Ases_1C9D当前 Auth API 不采集这些字段。目标产品必须通过受控联邦适配器关联 im-core DeviceSession;不得从 User-Agent 猜测并写成 CURRENT。
查看字段与证据 Gate →真实密度、当前会话、操作边界
解释没有活跃记录,不制造设备
对象、影响、保留项与二次确认
回执、结果和下一步可见
registry 不可用时禁止撤销与刷新
K18 SESSION CONTROL MATRIX
八项会话变化从代码一路追到生产
PASS 表示 Auth 服务控制已实现;消费端覆盖以 K19 独立矩阵为准,也不会把本页设计稿当成产品 UI。
AUTH-SES-01RegistryDurable session livenessJWT 自证存活
auth_sessions 是 refresh/introspect/me 的在线权威;缺失、撤销、过期或不可用均 fail-closed
MySQL migration + API testsPASSAUTH-SES-02IssuancePersist before token return签名后直接返回
会话成功持久化后才向调用方返回 JWT
issue/store failure testsPASSAUTH-SES-03RevocationImmediate Auth propagation只能等待 token 到期
单会话、当前会话和其他会话撤销立即作用于 refresh/introspect/me
revoke propagation testsPASSAUTH-SES-04IsolationSubject + client inventory boundary无会话列表
只列出当前 subject 与 client 的会话;不臆造设备、IP、UA
ownership/client negative testsPASSAUTH-SES-05AuditAppend-only safe receipts无撤销回执
create/revoke/noop 写入 auth_session_events;不记录 token、IP 或 User-Agent
event table + idempotency testsPASSAUTH-SES-06CapacityActive-session bound会话数量无上限
每 subject + client 最多 20 个;始终保留最新并自动撤销最旧超额会话
cap concurrency testsPASSAUTH-SES-07MigrationBounded K17 enrollment上线会使全部已有会话失效
只允许边界后的 K17 完整 claim 首次自注册;旧 Preview token 永不补录
boundary/legacy negative testsPASSAUTH-SES-08OperationsLeast-privilege runtime运行身份与迁移职责未分离
DDL 由 operator 执行;Auth 账户仅 SELECT/INSERT/UPDATE/DELETE;readiness 检查 registry
production grants + sidecar + external smokePASSK17 SECURITY FOUNDATION
展开十项底层安全控制
Preview fail-closed、OTP abuse bound、JWT boundary、readiness 与 immutable release。+
K17 SECURITY FOUNDATION
展开十项底层安全控制
Preview fail-closed、OTP abuse bound、JWT boundary、readiness 与 immutable release。AUTH-CFG-01RuntimeProduction configuration preflight单个开关可启用 preview
环境、监听、上游、密钥、TTL、preview 组合不安全即拒绝启动
Config.Validate + ExecStartPrePASSAUTH-CFG-02RuntimeLoopback-only service*:8095
127.0.0.1:8095,只通过 Nginx TLS 暴露
EC2 socket + exact releasePASSAUTH-OTP-01ChallengePreview bypass removalallow/override/dev_code/fixed code 全开
production 四项全部关闭,phone/wallet preview unavailable
/v1/meta + negative smokePASSAUTH-OTP-02ChallengeChallenge abuse bound无创建频率与失败次数上限
每 client/kind/subject 5 次/10 分钟;单 challenge 最多 5 次失败
race tests + external negativePASSAUTH-JWT-01TokenIssuer / audience / client binding仅验 HS256 签名与 exp
固定 header、iss、aud=client、registered client、subject、sid、iat/exp
cross-audience negative testPASSAUTH-JWT-02TokenBounded session refresh过期 access token 可无明确边界刷新
1h access、24h refresh_exp,刷新保留 sid/auth_time 且不能延长总边界
refresh boundary testsPASSAUTH-API-01APISafe request/response envelopequery token、宽松 JSON、内部 URL metadata
Bearer/POST only、strict JSON、no-store、request ID、内部 URL 脱敏
handler negative tests + public metaPASSAUTH-API-02APICompatibility profile bindingcaller header 可参与 profile 选择
route 固定 client/kind;显式 browser Origin 必须在 client allowlist
profile escalation negative testPASSAUTH-OPS-01OperationsLiveness / readiness splithealth 同时混入上游状态
/healthz 只测进程;/readyz 同时要求 im-core 与 session-registry
local + external smokePASSAUTH-OPS-02OperationsHardened release runtime可变 current 目录、弱 systemd sandbox
immutable release、配置备份、回滚目录、systemd sandbox、HSTS
release 89acdf1 + service journalPASSIDENTITY SCREEN READINESS
七张 UI 按能力逐页归位
PARTIAL CURRENT 表示后端能力存在,不表示目标 UI 已在产品仓实现。会话页本刀新增的是开发蓝图,G5 仍 fail-closed。
platform-auth-signin统一登录选择
- 真实 im-core 邮箱 OTP
- client/kind/origin 边界
- 生产 Preview fail-closed
- 企业身份
- 多身份选择 UI
- 完整返回上下文 consumer evidence
platform-auth-otpOTP 验证
- challenge create/verify
- 600s TTL
- 创建限流与五次失败锁定
- 持久化/多实例 challenge
- 真实 OTP E2E artifact
- 重发/倒计时/a11y UI fixture
platform-auth-mfa强认证
没有可登记的产品能力。
- Passkey
- 认证器
- 可信设备确认
- 恢复码
- 高风险动作 step-up
platform-auth-sessions设备与会话
- MySQL durable Session Registry
- 会话列表与 current/single/others revoke
- 撤销事件回执与 20 会话上限
- K17 有界迁移
- Booking / Open Platform 下一请求传播
- K20 受控跨进程 allow→revoke→deny 见证
- 产品会话管理 UI
- 设备/IP/UA 与 im-core 联邦关联
- 其他资源服务器传播
- 签名密钥轮换
- 经授权的生产邮箱 OTP 会话旅程
platform-auth-consentScope 与授权确认
没有可登记的产品能力。
- ConsentRequest
- 逐项能力用途
- 授权期限
- 撤销回执
platform-auth-recovery账号恢复
没有可登记的产品能力。
- 可信设备恢复
- 安全等待期
- 人工复核
- 恢复状态与保留策略
platform-forbidden无权限与受限资源
- issuer/audience/client 拒绝
- Origin 拒绝
- 撤销/缺失 session_inactive
- 安全 401/403/503 envelope
- Open Platform app owner + Booking project/tenant owner
- 统一 AuthorizationDecision schema
- 访问申请
- 组织角色关系
- 全资源服务器覆盖
EXECUTABLE FLOWS
六条链路定义安全边界
Production email OTP
- Client + allowed route
- subject limiter
- im-core send/check
- login-user
- persist session
- bound JWT
Durable issue / refresh
- Verify claims
- Find active session
- Match client/subject/scopes
- Enforce refresh_exp
- Cap new exp
- Return bounded JWT
Inventory / revoke
- Authenticate current session
- List same subject + client
- Confirm impact
- Revoke one/current/others
- Append receipt
- Deny next Auth use
Release / rollback
- Exact Gitea SHA
- Operator migration
- Least-privilege preflight
- Side-port checks
- Atomic current switch
- External smoke
Consumer authorization
- Resolve client + route scope
- Introspect active session
- Bind local subject
- Check tenant / object owner
- Execute or typed deny
Cross-process revocation witness
- Start exact Auth binary
- Issue two client sessions
- Run real consumer allow
- Revoke each session
- Run next-request deny
- Verify refresh/introspection deny
G1–G8 EVIDENCE
六道通过,一道部分,一道阻断
G4 已加入 K20 的 17/17 跨进程断言;G5 仍没有产品仓 UI 证据,G8 仍缺经授权的生产邮箱 OTP 旅程,因此 Identity 不能标成 production proven。
Scope
K20 controlled journey · Auth + 2 consumer repos · 7 Screen ID impact
Static
gofmt · go vet · static build · config/store check
Unit
15 Auth race tests + two loopback witness guards · registry/revoke/migration negatives
Contract
K19 17 consumer checks + K20 17/17 cross-process assertions;two client lanes
Experience
本页为 UI fixture;7 个产品 UI 九态、visual、a11y、interaction 尚未接入
Security
preview/audience/origin/registry/ownership/revoke/legacy-enroll negatives
Release
exact SHA · additive migration · least privilege · immutable rollback
Production
精确代码受控旅程已通过;生产 release/readiness 正常;仍未获授权执行真实邮箱 OTP 用户旅程
NEXT KNIFE / K21
Approved Production Synthetic & Key Rotation
在明确授权和清理回执下执行生产邮箱 OTP synthetic,补签名密钥轮换/双钥验证,并把同一撤销契约扩展到剩余资源服务器;产品会话 UI 继续通过 visual/a11y/interaction gate。