DECNET

anti/DECNET

Fork 0

Commit Graph

Author	SHA1	Message	Date
anti	b26dd8f529	feat(canary): API-trashing defense — 4-layer fingerprint validation Adds per-mint nonce gating, structural shape validation, mint UUID consistency checks, and a per-(token, IP) rate limiter to the canary worker so attackers who extract a canary from a decky filesystem cannot poison fingerprint forensics by replaying or forging ?d= submissions. Changes: base.py fingerprint_nonce: Optional[str] added to CanaryArtifact so generators can surface the nonce to the cultivator without coupling the generator directly to DB code. obfuscator.py nonce_for(callback_token, mint_uuid): HMAC-SHA256 keyed on DECNET_CANARY_FINGERPRINT_SECRET, truncated to 16 hex chars. FingerprintSecretMissing raised at mint time if env var is unset. render_fingerprint_js() now accepts nonce= and substitutes MINT_NONCE. fingerprint_payload.js New MINT_NONCE placeholder. Appended as &k= on all beacon URLs (bare-open, single-shot, chunked). Using &k= avoids colliding with &n= (chunk total). fingerprint_html.py / fingerprint_svg.py Derive nonce via nonce_for() and pass to render_fingerprint_js(). Set artifact.fingerprint_nonce so the cultivator can persist it. cultivator.py Passes fingerprint_nonce into create_canary_token() when present on the artifact; NULL for all non-fingerprint generators. canary.py (model) fingerprint_nonce: Optional[str] = Field(default=None, max_length=16) added to CanaryToken. None for non-fingerprint tokens. worker.py _extract_fingerprint now returns (meta_dict, parsed_fp) tuple. _record_hit accepts parsed_fp + raw_nonce and runs 4 layers after token lookup: nonce match, shape check, mint UUID consistency, rate limit. Each failure sets _fp_invalid_* flag and drops structured _fp. Trigger row always lands regardless. tests/canary/conftest.py Session-scoped autouse fixture sets DECNET_CANARY_FINGERPRINT_SECRET so fingerprint generator and worker tests work offline. tests 5 new worker HTTP tests and 2 new generator tests covering each validation layer.	2026-04-29 17:41:04 -04:00
anti	3fe999d706	feat(canary): allow custom canaries on MazeNET deckies via API POST /api/v1/canary/tokens grows an optional topology_id field. When present, the server hydrates the topology, validates the named decky is in it, and resolves the docker container via planter.resolve_topology_container — <name>-ssh if the decky exposes ssh, else the topology base container. Absent ⇒ fleet semantics, unchanged. The token row gets a nullable topology_id column (no migration helper per pre-v1 policy). GET /api/v1/canary/tokens accepts ?topology_id= as a filter. DELETE re-resolves the container at revoke time so a redeployed topology is still reachable. 422 when the named decky isn't in the topology; 404 when the topology itself doesn't exist.	2026-04-28 22:34:45 -04:00
anti	862e4dbb31	merge: testing → main (reconcile 2-week divergence)	2026-04-28 18:36:00 -04:00

Author

SHA1

Message

Date

anti

b26dd8f529

feat(canary): API-trashing defense — 4-layer fingerprint validation

Adds per-mint nonce gating, structural shape validation, mint UUID
consistency checks, and a per-(token, IP) rate limiter to the canary
worker so attackers who extract a canary from a decky filesystem cannot
poison fingerprint forensics by replaying or forging ?d= submissions.

Changes:

base.py
  fingerprint_nonce: Optional[str] added to CanaryArtifact so generators
  can surface the nonce to the cultivator without coupling the generator
  directly to DB code.

obfuscator.py
  nonce_for(callback_token, mint_uuid): HMAC-SHA256 keyed on
  DECNET_CANARY_FINGERPRINT_SECRET, truncated to 16 hex chars.
  FingerprintSecretMissing raised at mint time if env var is unset.
  render_fingerprint_js() now accepts nonce= and substitutes MINT_NONCE.

fingerprint_payload.js
  New MINT_NONCE placeholder. Appended as &k= on all beacon URLs (bare-open,
  single-shot, chunked). Using &k= avoids colliding with &n= (chunk total).

fingerprint_html.py / fingerprint_svg.py
  Derive nonce via nonce_for() and pass to render_fingerprint_js(). Set
  artifact.fingerprint_nonce so the cultivator can persist it.

cultivator.py
  Passes fingerprint_nonce into create_canary_token() when present on the
  artifact; NULL for all non-fingerprint generators.

canary.py (model)
  fingerprint_nonce: Optional[str] = Field(default=None, max_length=16)
  added to CanaryToken. None for non-fingerprint tokens.

worker.py
  _extract_fingerprint now returns (meta_dict, parsed_fp) tuple.
  _record_hit accepts parsed_fp + raw_nonce and runs 4 layers after
  token lookup: nonce match, shape check, mint UUID consistency, rate limit.
  Each failure sets _fp_invalid_* flag and drops structured _fp.
  Trigger row always lands regardless.

tests/canary/conftest.py
  Session-scoped autouse fixture sets DECNET_CANARY_FINGERPRINT_SECRET so
  fingerprint generator and worker tests work offline.

tests
  5 new worker HTTP tests and 2 new generator tests covering each
  validation layer.

2026-04-29 17:41:04 -04:00

anti

3fe999d706

feat(canary): allow custom canaries on MazeNET deckies via API

POST /api/v1/canary/tokens grows an optional topology_id field.  When
present, the server hydrates the topology, validates the named decky is
in it, and resolves the docker container via
planter.resolve_topology_container — <name>-ssh if the decky exposes ssh,
else the topology base container.  Absent ⇒ fleet semantics, unchanged.

The token row gets a nullable topology_id column (no migration helper
per pre-v1 policy).  GET /api/v1/canary/tokens accepts ?topology_id= as
a filter.  DELETE re-resolves the container at revoke time so a
redeployed topology is still reachable.

422 when the named decky isn't in the topology; 404 when the topology
itself doesn't exist.

2026-04-28 22:34:45 -04:00

anti

862e4dbb31

merge: testing → main (reconcile 2-week divergence)

2026-04-28 18:36:00 -04:00

3 Commits