DECNET

anti/DECNET

Fork 0

Commit Graph

Author	SHA1	Message	Date
anti	f2b3393669	chore: relicense to AGPL-3.0-or-later and add SPDX headers Replaces LICENSE (GPLv3 -> AGPLv3) and prepends `SPDX-License-Identifier: AGPL-3.0-or-later` to every source file across decnet/, decnet_web/, tests/, scripts/, and tools/. Rationale: closes the GPLv3 ASP loophole so any party operating a modified DECNET as a network service must offer their modified source. Personal copyright (Samuel Paschuan) + inbound=outbound contributions make a future unilateral relicense infeasible. - LICENSE: full AGPL-3.0 text (gnu.org/licenses/agpl-3.0.txt) - COPYRIGHT: project copyright notice - tools/add_spdx_headers.py: idempotent header injector (shebang- and PEP 263-aware) Touches 1565 source files (.py, .ts, .tsx, .js, .jsx, .css, .sh). No behavior change; comments only.	2026-05-22 21:04:16 -04:00
anti	9777aa7677	feat(creds): Phase 6 — MongoDB SCRAM credential capture Plugs the cred-coverage gap for MongoDB. The template previously parsed only the wire opcode + length and discarded the BSON body entirely, so SCRAM-SHA-{1,256} client-proofs flowed straight through without ever landing in the Credential table. Adds an inline minimal BSON walker (~100 LoC) covering the 7 type codes auth commands actually use: string, doc, array, binary, bool, int32, int64. Hand-rolled rather than pulling pymongo as a runtime dep — the parser is bounds-checked for untrusted-input safety (won't loop on malformed length fields). Wire flow MongoDB clients use for auth: - OP_MSG body section (kind=0) → BSON doc with `saslStart` field carrying mechanism + payload (SCRAM client-first-message: "n,,n=<user>,r=<nonce>"). Username extracted, pinned to the per-connection _sasl_username + _sasl_mechanism state. - Subsequent OP_MSG with `saslContinue` → SCRAM client-final-message ("c=biws,r=<combined>,p=<base64 client-proof>"). The `p=` value is the credential — emitted as secret_kind=scram_sha256 (or _sha1 / _unknown depending on the prior saslStart's mechanism), principal = the pinned username, secret_b64 = base64 of the decoded proof. Reuse semantics: same client-proof across two auth attempts only matches when both server salt and password were identical (proofs include the salt). So cross-session reuse correlates only on credential reuse against the same MongoDB account on the same decky — honest, non-misleading signal. 680 tests pass across services, service_testing, db, web/ingester, and core/fingerprinting (the broader scope my recent commits touched). Phases 4, 5, 7 still pending (RDP basic-auth, SMB NTLMSSP, RDP NLA).	2026-04-25 07:15:44 -04:00

Author

SHA1

Message

Date

anti

f2b3393669

chore: relicense to AGPL-3.0-or-later and add SPDX headers

Replaces LICENSE (GPLv3 -> AGPLv3) and prepends
`SPDX-License-Identifier: AGPL-3.0-or-later` to every source file
across decnet/, decnet_web/, tests/, scripts/, and tools/.

Rationale: closes the GPLv3 ASP loophole so any party operating a
modified DECNET as a network service must offer their modified
source. Personal copyright (Samuel Paschuan) + inbound=outbound
contributions make a future unilateral relicense infeasible.

- LICENSE: full AGPL-3.0 text (gnu.org/licenses/agpl-3.0.txt)
- COPYRIGHT: project copyright notice
- tools/add_spdx_headers.py: idempotent header injector
  (shebang- and PEP 263-aware)

Touches 1565 source files (.py, .ts, .tsx, .js, .jsx, .css, .sh).
No behavior change; comments only.

2026-05-22 21:04:16 -04:00

anti

9777aa7677

feat(creds): Phase 6 — MongoDB SCRAM credential capture

Plugs the cred-coverage gap for MongoDB. The template previously
parsed only the wire opcode + length and discarded the BSON body
entirely, so SCRAM-SHA-{1,256} client-proofs flowed straight through
without ever landing in the Credential table.

Adds an inline minimal BSON walker (~100 LoC) covering the 7 type
codes auth commands actually use: string, doc, array, binary, bool,
int32, int64. Hand-rolled rather than pulling pymongo as a runtime
dep — the parser is bounds-checked for untrusted-input safety
(won't loop on malformed length fields).

Wire flow MongoDB clients use for auth:
- OP_MSG body section (kind=0) → BSON doc with `saslStart` field
  carrying mechanism + payload (SCRAM client-first-message:
  "n,,n=<user>,r=<nonce>"). Username extracted, pinned to the
  per-connection _sasl_username + _sasl_mechanism state.
- Subsequent OP_MSG with `saslContinue` → SCRAM client-final-message
  ("c=biws,r=<combined>,p=<base64 client-proof>"). The `p=` value is
  the credential — emitted as secret_kind=scram_sha256 (or _sha1 /
  _unknown depending on the prior saslStart's mechanism), principal
  = the pinned username, secret_b64 = base64 of the decoded proof.

Reuse semantics: same client-proof across two auth attempts only
matches when both server salt and password were identical (proofs
include the salt). So cross-session reuse correlates only on
credential reuse against the same MongoDB account on the same decky
— honest, non-misleading signal.

680 tests pass across services, service_testing, db, web/ingester,
and core/fingerprinting (the broader scope my recent commits
touched). Phases 4, 5, 7 still pending (RDP basic-auth, SMB
NTLMSSP, RDP NLA).

2026-04-25 07:15:44 -04:00

2 Commits