Pulse

vrr/Pulse

Fork 0

mirror of https://github.com/rcourtman/Pulse.git synced 2026-04-28 19:41:17 +00:00

Commit graph

Author	SHA1	Message	Date
rcourtman	b7a94bad9f	security: fix websocket scope and agent impersonation 1. Enforce monitoring:read scope on WebSocket upgrades - Prevents low-privilege tokens (e.g. host-agent:report) from accessing full infra state via requestData on the main WebSocket. 2. Enforce agent token binding to prevent impersonation - Added Metadata field to APITokenRecord to support bound_agent_id - Updated agentexec server to validate token-to-agent binding if present - Prevents agent:exec tokens from registering as arbitrary agent IDs	2026-02-03 20:40:08 +00:00
rcourtman	30f01771ac	Add meaningful tests for host agent and exec websocket	2025-12-17 17:02:01 +00:00

Author

SHA1

Message

Date

rcourtman

b7a94bad9f

security: fix websocket scope and agent impersonation

1. Enforce monitoring:read scope on WebSocket upgrades
   - Prevents low-privilege tokens (e.g. host-agent:report) from accessing
     full infra state via requestData on the main WebSocket.

2. Enforce agent token binding to prevent impersonation
   - Added Metadata field to APITokenRecord to support bound_agent_id
   - Updated agentexec server to validate token-to-agent binding if present
   - Prevents agent:exec tokens from registering as arbitrary agent IDs

2026-02-03 20:40:08 +00:00

rcourtman

30f01771ac

Add meaningful tests for host agent and exec websocket

2025-12-17 17:02:01 +00:00

2 commits