v0.3.0-rc1: military-grade hardening — 12 streams, 3 ship-blockers closed#2
Merged
Conversation
Wave 1 of v0.3.0 developer-experience work. The goal: SQLite-style
"single binary, zero config" first-time-user experience pushed up to
the level Lattice OS / Maven OS / Palantir AIP currently occupy.
Code:
- New `orp doctor` subcommand at `crates/orp-core/src/cli/doctor.rs`
with six green/yellow/red preflight checks: protoc on PATH, DuckDB
and RocksDB writability, server port free, config validation, and
optional --https-url cert chain probe. Wired into args.rs / main.rs.
7 unit tests covering rank ordering, builder pattern, missing config,
non-HTTPS rejection, path parent resolution. Adds `which = "6"` and
`reqwest = { features = ["blocking"] }` to orp-core/Cargo.toml.
Docs:
- docs/QUICKSTART.md — 10-minute "from zero to ingesting your own data"
guide. Six concrete sections, every command verified against the binary.
- docs/RECIPES.md — eight copy-paste recipes (AIS, Zeek, MAVLink, ADS-B,
Modbus, audit-log export, federation, continuous alerts).
- docs/CONFIG.md — reference for every config field with type / default /
env var / CLI flag / semantic description, generated against schema.rs
and args.rs. Includes a worked production-style YAML example.
Examples (each with its own README + run.sh that's `set -euo pipefail`):
- examples/quickstart-ais/ — boots --in-memory, ingests vessels.json,
runs three .orpql queries, tears down.
- examples/two-node-federation/ — two localhost nodes peered together
with ORP_FED_BASE_INTERVAL_SECS=5; plus a docker-compose.yml variant.
- examples/saved-queries/ — pattern for keeping .orpql files in version
control + monitor-rule registration.
- examples/adapter-config/ — annotated config.yaml with six adapters
(aisstream / adsb / mavlink / modbus / zeek / http_poll).
README polish:
- Three-line elevator pitch, 30-second demo transcript (placeholder for
the eventual GIF), "what slot does this fill?" comparison table vs
SQLite / Postgres / Lattice OS / Maven OS / Anduril, documentation map
pointing at all the new docs and examples.
Verified:
- `cargo build -p orp-core` ✓
- `./target/debug/orp doctor` runs all six checks ✓
- `cargo test -p orp-core doctor` — 7/7 tests pass ✓
- `cargo fmt --all -- --check` ✓
- `bash -n` on install.sh + every examples/*/run.sh ✓
- `orp --help` / `orp doctor --help` / `orp start --help` clean output ✓
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three audit findings hardened in `crates/orp-core/src/server/notifications.rs`: * [Critical] SSRF — webhook/Slack/Telegram channels POST'd to user-supplied URLs with no guard. Extracted the validate-then-pin SSRF helpers (`is_url_safe`, `safe_resolve_with`, `build_safe_client`, `HostResolver`) out of the HTTP poller into a shared `orp-security::url_safety` module so every outbound HTTP target now goes through the same DNS-rebinding-resistant primitive. Added a per-channel `allow_private_targets` bool (default false) for legitimate localhost integrations. http_poller.rs now imports the helpers from orp-security. * [High] Retry jitter + circuit breaker — retry sleeps now apply ±25% cryptographically-seeded jitter via `OsRng::gen_range` (not thread_rng; this is security-relevant timing). New per-channel circuit breaker: configurable threshold (default 5 consecutive failures) trips a configurable cooldown (default 5 min); during cooldown the channel is short-circuited with one warn log + audit entry. Successful sends reset the counter. * [High] Bounded audit log — `NotificationAuditLog.entries` is now a `VecDeque<NotificationAttempt>` capped at `MAX_AUDIT_ENTRIES = 10_000`. Oldest entries are popped on overflow with a rate-limited warn (≤1/min). Added `recent(n)` for diagnostics consumers. Also fixed a pre-existing `clippy::collapsible_else_if` in `crates/orp-core/src/cli/commands.rs` that was blocking `cargo clippy --all --all-features -- -D warnings`. Tests: orp-security 114 (+17 url_safety, moved from orp-connector), orp-connector 618, orp-core 167 (+9 new — SSRF guard for loopback/metadata, opt-in bypass, jitter bounds, jitter non-constant, breaker open after N, breaker close after cooldown, audit log overflow drops oldest, recent() returns newest-first). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…xport verification
Wave 1 of v0.3.0 hardening: the audit log was a Vec ring buffer that
vanished on restart. This wave moves it onto DuckDB while preserving the
Ed25519 signing chain. Restart now replays the chain head from the last
persisted row, so prev_hash linkage continues across processes.
- New `AuditLogger` trait with two backends:
* `PersistentAuditLog` (DuckDB; production default) — shares the
storage `Arc<Mutex<Connection>>`, holds a tokio Mutex around the
SELECT-prev/INSERT-new critical section, and wraps each append in a
BEGIN/COMMIT transaction so power loss leaves the chain intact at
the last fully committed seq.
* `InMemoryAuditLog` (volatile; `--in-memory`, tests) — identical
hash + signature pipeline so behavioural tests written against one
apply to the other.
- Canonical pre-image `seq||ts||op||entity_type||entity_id||user_id||json`
is hashed with SHA-256 (existing dep — kept consistent with the
v0.2.0 chain that storage::log_audit was already producing). The
signature column finally carries an Ed25519 sig over the *exact*
content_hash that gets stored — replacing v0.2.0's pre-image with a
`?` placeholder, which was unverifiable.
- `orp audit verify --db <path> --public-key <hex>` walks the chain
end-to-end and exits non-zero on any mismatch, naming the offending
seq. `ORP_AUDIT_PUBKEY` provides the same key out-of-band.
- `orp audit export --db <path> --out <path>` streams JSONL with
`{seq, ts, actor, action, target, payload, prev_hash_hex, hash_hex,
signature_hex, verified}` per row. Without `--public-key` `verified`
reports `false` for every row — chain hash is still recomputed.
- `DuckDbStorage::connection()` exposes the shared connection so peer
crates can layer on top without opening a second handle.
- `AppState.audit_log: Arc<dyn AuditLogger>` is now the single audit
write path; `handlers::audit_log()` routes through it.
Tests (orp-audit, all green):
- append → close → reopen → continued chain verifies
- payload corrupted via raw SQL → verify_chain returns `ChainCorrupt {
seq: 1 }`
- 10 threads × 100 concurrent appends → 1000 rows, sequence numbers
contiguous, chain verifies
- export → parse JSONL back → every line independently verifies
- export without pubkey marks `verified: false`
- end-to-end cli_smoke integration test
cargo fmt --all + cargo clippy --all --all-features -- -D warnings
clean across orp-audit and orp-core; pre-existing warnings in
orp-proto / orp-ml / orp-config / orp-security / orp-geospatial /
orp-connector left in place (out of scope).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…er + circuit breaker + bounded audit
…replay + verify/export CLI # Conflicts: # crates/orp-core/src/cli/args.rs
…cate-PK bug ingest.rs:363 was the last production caller of Storage::log_audit after B's audit-persist refactor. With state.audit_log.record() also writing to the audit_log table, both writers raced for the same seq PK. Swap ingest to the trait path; resolver.rs:262 in orp-entity is the remaining caller (needs constructor plumbing — tracked as Wave 2 follow-up). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ion + useless format! Clippy 1.91 rejected continuation lines on numbered list items in doc comments (lines 199-200, 224-225, 246-247, 263-266) and one bare format! without args (239). I's agent shipped these against an older clippy; the fixes are pure formatting — no behavior change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…e+sort OnlineQuantileScorer::score previously cloned the entire 2048-sample buffer and sorted it on every call, under a single std::sync::Mutex held across the sort. With D≈8 features and N up to 2048 that was O(D × N log N) per event blocking the tokio worker — flagged in the v0.2.0 audit as the stream pipeline's headline bottleneck at 1k events/sec. Refactor: - New QuantileEstimator: BTreeMap<u32, count> keyed by a totally-ordered bit-encoding of f32 (negative-bit invert, non-negative sign-flip, NaN filtered on insert), plus a parallel VecDeque<f32> for FIFO eviction. insert() is O(log K) where K is distinct-value count; quantile() is a cumulative-count walk that returns at the target rank — no clone, no sort, no allocation per call. - Per-axis Mutex<QuantileEstimator> instead of one global lock over a Vec<Vec<f32>>. Disjoint axes now score in parallel; only same-axis contenders serialise, and the critical section is just insert + walk. - Two-sided envelope [p0.25, p99.75] computed *before* folding the new sample so an extreme value cannot contaminate its own envelope. Tests: - test_quantile_estimator_correct: 10 000 random f32, q=0.5 within 1% of sort-based truth. - test_quantile_estimator_bounded_memory: order, count-sum and distinct-key count all stay <= max_size after max_size+1 inserts. - test_quantile_estimator_bit_encoding_orders_correctly: spot-check total ordering across negative/zero/positive/subnormal/large. - test_quantile_estimator_handles_duplicates: 100x same value collapses to one key with count 100, all quantiles return that value. - test_quantile_estimator_eviction_is_fifo: FIFO eviction order verified. - test_score_no_clone_no_sort: static-source assertion that .clone() / .sort_by( / .sort_unstable( do not appear inside the OnlineQuantileScorer impl block — protects against regression. - test_score_concurrent: 8 threads x 1000 calls share a scorer with no panic, every score in [0, 100], post-contention outlier saturates. Bench (criterion, --quick on aarch64-apple-darwin): warmup=0 ~47 us/call ~21 Kelem/s warmup=64 ~57 us/call ~17 Kelem/s warmup=2048 ~48 us/call ~21 Kelem/s Steady-state cost is independent of fill level — confirms the O(log N) per-call invariant. Public API (AnomalyScorer trait) is unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…sAuth claims propagation Replaces v0.2.0 path that validated JWT signature but discarded claims and hardcoded user-id to 'ws-client' with permissions ['admin']. Now: Claims sub/permissions/org_id flow through handle_socket; ABAC checks see real identity; permissive_mode keeps an explicit dev carve-out + warn-log. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…e/sort under lock, +33 tests
…s the v0.2.0 hardcoded ws-client+admin path
…HashSet<u32> index)
* Async I/O on load/reload paths: tokio::fs::read_to_string + tokio::task::spawn_blocking
for parsing, so the ~50 MB OFAC SDN load no longer blocks a tokio worker on startup.
* Trigram index built at load (HashMap<3-char, HashSet<u32>>) over normalized primary
names + aliases.
* Fuzzy name path now narrowed via candidate_indices(): query trigrams gather candidate
entry indices, count required hits via overlap_ratio (default 0.3), Levenshtein runs
only on the candidate set. Empirically <100 candidates from 1000 entries for a typical
sanctioned-name query.
* Fallback for queries shorter than TRIGRAM_MIN_QUERY_LEN (4 chars): scan all indexed
entries (insufficient trigram signal to filter safely).
* Tests added in crates/orp-stream/src/sanctions.rs:
- test_load_uses_tokio_fs (single-thread runtime ticker proxy for non-blocking I/O)
- test_load_under_concurrent_load (multi-thread, 100 concurrent check tasks vs load)
- test_trigram_filter_reduces_candidates (1000 fixture entries, query 'ABRAHAM' < 100)
- test_trigram_filter_does_not_miss_close_match ('Mohammad'/'Muhammad', 1-char diff)
- trigrams_basic, trigrams_too_short.
Implementation choice: HashSet<u32> for the per-trigram entry set (no roaring dep added).
Validation: cargo fmt --check passed pre-commit; clippy + cargo test deferred to
integrator on a quiet system (paused with 13+ concurrent cargo procs and load avg ~70).
Addresses orp-S8 spec: Critical-High async I/O fix (blocks tokio worker on 50MB SDN
load) + perf fix (linear scan over 13K entries × 1K QPS = 13M Levenshtein/sec
single-core capped).
Working in git worktrees on the Sony external drive (exFAT/HFS+) creates hundreds of these per Finder access. Without ignoring them, `git add -A` in any worktree commits ~200 spurious files. orp-S8 caught this manually via `git status --untracked-files=no` — the .gitignore rule makes the discipline automatic. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…uzzy match (HashSet<u32> index)
…swords
Two High-severity audit findings (G/Wave-1B). Both swap a non-cryptographic
`rand::thread_rng()` for the OS CSPRNG (`OsRng`), where the predictable
internal state of `thread_rng` was the actual exposure.
CSRF state (oidc.rs):
- `generate_csrf_state()` now draws 32 random bytes via `OsRng::fill_bytes`
(was 16 bytes via `thread_rng().gen()`) and emits 43-char URL-safe base64
(was 32-char hex). The state guards `/auth/callback` against forged
callbacks; predictable values enable CSRF on the auth-code flow.
- New regression test `test_csrf_state_uses_osrng_high_entropy`: 1000-iter
no-collision check + URL-safe-base64 format check + 32-byte decode check.
Password hashing (users.rs):
- Replace SHA-256+salt with Argon2id (`argon2 = "0.5"`) using OWASP-2023
floor parameters: m=19456 KiB (~19 MiB), t=2, p=1. Stored as the standard
PHC string so cost params can be tuned per-row without a schema migration.
- Salt is `SaltString::generate(&mut OsRng)`; `verify_password` uses
argon2's constant-time `verify_password` and returns `false` for malformed
PHC strings (incl. legacy `$sha256$...` rows from the pre-migration era).
- `hash_password` now returns `Result<String, anyhow::Error>`; the single
call site (`UserRegistry::create`) maps via new `UserError::Hash(String)`.
- Tests: `test_password_argon2id_roundtrip` (correct/wrong/empty),
`test_password_phc_format` (asserts exact PHC prefix encoding the floor
params), `test_password_unique_salts` (fresh salt per call),
`test_password_legacy_format_rejected` (graceful rejection of legacy
rows + non-PHC strings).
Drive-by clippy fixes — both pre-existing in master, unrelated to this
change but blocking the `-D warnings` gate:
- notifications.rs:1034: `let app = ...` was unused in the test; renamed
to `_app` to make the unused-result intent explicit.
- commands.rs:785: collapse `else { if .. }` into `else if`
(clippy::collapsible_else_if).
Validation (CARGO_TARGET_DIR=/Volumes/Sony/orp-target/csrf-pwd):
- cargo fmt — clean
- cargo clippy -p orp-security -p orp-core --all-features --tests
-- -D warnings → 0 warnings/errors
- cargo test -p orp-security → 98 passed, 0 failed (incl. new CSRF test)
- cargo test -p orp-core → 158 passed, 0 failed (incl. all 4 pwd tests)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…S256) — closes ship-blocker
Previously `OidcClient::validate_token` ignored `jwks_uri` from the
discovery doc and only delegated to the local HS256 `JwtService`,
which doesn't have the IdP's keys. Any deployment using OIDC was
silently passing — no real verification of provider tokens happened.
This change adds proper JWKS-backed verification:
- `OidcClient::refresh_jwks` fetches keys from `discovery.jwks_uri`
and caches them by `kid` behind an `Arc<RwLock<JwksCache>>`
- `validate_external_token`:
- decodes the JWT header for `alg` + `kid`
- pins alg to RS256/ES256/EdDSA (HS256 explicitly rejected on this
path to block alg-confusion)
- looks up the JWK by `kid`, refreshing once on cache miss
- cross-checks header alg against the JWK's algorithm family
- decodes via `DecodingKey::from_jwk` with iss/aud/exp/nbf/sub
enforcement
- `IdpClaims` accepts the looser claim shape real IdPs emit
(string-or-array `aud`, optional `nbf`/`iat`, scope-fallback for
permissions) and projects into the strict internal `Claims`
`OidcValidator` is a new multi-IdP router: tokens are routed by
`iss` to the matching `OidcClient`. HS256 routes to a legacy
`JwtService` fallback (so existing internal API tokens keep
working). Tokens with unknown `iss` are rejected — no silent fall-
back to legacy.
`AuthState` gains an `oidc_validator` field. The Axum middleware
prefers it over the legacy `jwt_service` when set.
Tests (11 new, all in `oidc::tests`):
test_oidc_validates_real_jwt
test_oidc_rejects_kid_not_in_jwks
test_oidc_rejects_alg_mismatch
test_oidc_rejects_alg_none
test_oidc_jwks_refresh_on_kid_miss
test_oidc_jwks_ttl
test_oidc_iss_aud_validation
test_validator_routes_by_issuer
test_validator_rejects_unknown_issuer
test_validator_legacy_hs256_fallback
test_validator_rejects_hs256_when_no_legacy
Tests use a tiny tokio TCP mock IdP that serves both
.well-known/openid-configuration and /jwks, with a fixed RSA
keypair embedded as test data (sourced from jsonwebtoken 9.3.1's
test fixtures — public values).
JWK API: `jsonwebtoken::DecodingKey::from_jwk(&Jwk)` with
`jsonwebtoken::jwk::{Jwk, JwkSet, AlgorithmParameters}` for
parameter-family matching.
Multi-IdP: `OidcValidator::new().with_provider(...).with_provider(...).with_legacy_jwt(...)`
attaches N IdP clients and an optional HS256 fallback.
HS256-legacy backward-compat: `AuthState::production` keeps the old
`jwt_service`-only path. New `AuthState::production_with_oidc`
takes an `OidcValidator`. Operators migrate by switching the
constructor; in-flight HS256 tokens continue to validate via
`with_legacy_jwt(jwt_service)` until decommissioned.
Docs: `docs/OIDC.md` has end-to-end Keycloak/Auth0/Okta/Azure AD
setup, the HS256-legacy vs OIDC distinction, and operational notes
(JWKS TTL, max-staleness, alg pinning, failure modes).
Gates: cargo fmt clean; cargo clippy -p orp-security --all-features
--tests -- -D warnings clean; cargo test -p orp-security
(108 passed, 0 failed); cargo test -p orp-core (158 passed,
0 failed).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…HSTS + orp gen-cert
Replaces the plain `axum::serve` listener with an `axum_server::bind_rustls`
HTTPS server when `--tls-cert` and `--tls-key` are passed, closing the
inbound-TLS gap that the v0.2.0 crypto audit flagged as a ship blocker.
What is in this change
- `crates/orp-core/src/server/http.rs`: new `TlsConfig`, `start_server`
branches between HTTPS (rustls + ring, TLS 1.2/1.3 only) and a plain-HTTP
fallback that emits a startup `WARN` so operators can't miss a misconfig.
Both branches now use `into_make_service_with_connect_info::<SocketAddr>()`
so the per-IP rate limiter sees the real peer address (it didn't before).
- mTLS: `--tls-client-ca <PEM bundle>` flips rustls into client-cert
required mode via `WebPkiClientVerifier`. No app-layer error — failures
happen during handshake.
- HSTS: `Strict-Transport-Security: max-age=31536000` is auto-attached on
every response when TLS is active. `includeSubDomains`/`preload` left to
operators (domain-scoped commitments).
- `--redirect-http <PORT>`: spawns a tiny background axum listener that
301-redirects every plain-HTTP request to the HTTPS origin (preserving
Host minus port).
- New `orp gen-cert` subcommand (rcgen-backed) that writes self-signed
`cert.pem` + `key.pem` for dev/test. Writes the key with mode 0600 on
Unix. Refuses to overwrite without `--force`.
- `docs/TLS.md`: full operator guide covering self-signed dev, Let's
Encrypt (HTTP-01 / DNS-01 / renewal hooks), corporate / private PKI
(Vault, smallstep), mTLS, HSTS, and a troubleshooting matrix.
Tests (in `server::http::tls_tests`)
- `test_tls_server_serves_https`: rcgen cert → reqwest `danger_accept_
invalid_certs` → 200 on /health.
- `test_tls_rejects_http`: plain HTTP to a TLS port fails at the protocol
level.
- `test_hsts_header`: TLS responses carry `Strict-Transport-Security`.
- `test_mtls_requires_client_cert`: client without a cert is rejected at
the handshake when `--tls-client-ca` is set.
Drive-by fixes
- `server/notifications.rs`: drop an unused `app` binding in
`test_api_register_then_list` (clippy `unused_variables`).
- `cli/commands.rs`: collapse a nested `else { if … }` in the status
indicator (clippy `collapsible_else_if`).
Dependencies
- Adds `axum-server = { default-features = false, features = [
"tls-rustls-no-provider"] }` to keep the crypto provider explicit and
avoid the implicit `aws-lc-rs` feature pull.
- Adds `rustls = { default-features = false, features = ["ring", "std",
"tls12"] }`, `rustls-pemfile`, and `rcgen = { default-features = false,
features = ["pem", "ring"] }`.
- Adds `tower-http` `set-header` feature in the workspace manifest.
- Test deps: `reqwest` (rustls-tls), `tempfile`, `tokio` `test-util`.
Validation: `cargo fmt --check`, `cargo clippy -p orp-core --tests --
-D warnings`, and `cargo test -p orp-core` (162 passed, including the 4
new TLS tests) all green on rustc 1.91.1.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replaces the SHA-256-unsalted in-memory `HashMap<key_hash, record>`
scheme in `orp-security::api_keys` with:
* **Argon2id** PHC-string hashes (m=19 MiB, t=2, p=1 — OWASP 2023).
* A `KeyStore` trait with two implementations:
- `InMemoryKeyStore` (tests, dev mode, `--in-memory`).
- `DuckDbKeyStore` (production) — keys survive process restarts on
a sibling auth DB next to the main `storage.duckdb` path.
* A `--bootstrap-admin-key <RAW_KEY>` CLI flag on `orp start`.
When the `api_keys` table is empty:
- flag set → operator-supplied key is hashed and persisted;
- flag unset → ORP generates a random 32-byte plaintext, stores
only the Argon2id PHC, and prints the raw value to **stderr**
exactly once (it is never written via `tracing` / `info!`).
Subsequent boots ignore the flag and warn.
The `key_hash` field on `ApiKeyRecord` is preserved as an empty string
for serde back-compat; PHC strings stay inside the keystore module.
Tests (13 new in `orp-security::keystore`):
* PHC roundtrip + salt-randomness;
* `InMemoryKeyStore`: insert/verify, wrong-plaintext, unknown-id,
revoke-then-verify, mark_used;
* `DuckDbKeyStore`: persistence-across-reopen (tempfile),
revoke-then-lookup, mark_used updates last_used_at,
wrong-plaintext, unknown-id, list/count.
Test counts (cargo test -p orp-security -p orp-storage -p orp-core):
* orp-core: 158 passed / 0 failed
* orp-security: 112 passed / 0 failed (incl. 13 new keystore tests)
* orp-storage: 57 passed / 0 failed
* doctests: 3 passed / 2 ignored
Gates: `cargo fmt --check`, `cargo clippy ... -- -D warnings`, and
`cargo test` all pass on `feat/v0.3.0-argon2-keystore`.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…+ confidence cap
Closes the v0.2.0 federation ship-blocker: any host that could reach the
federation port could spoof a peer or override local truth by sending
confidence=1.0 for every entity. v0.3.0 adds a layered defence:
- mTLS — dedicated axum-server::tls_rustls listener (default 9443)
that requires every connecting peer to present a client certificate
signed by --federation-ca. rustls-only, no native-tls.
- Ed25519 signed envelope — every push wraps the payload in a
SignedFederationEnvelope (sender, seq, timestamp, payload, sig)
verified against the peer's pinned signing_pubkey. Mid-channel TLS
termination cannot forge messages.
- Replay resistance — per-sender monotonic seq + ±5 min timestamp
window. ReplayTracker rejects seq <= last_seen.
- Confidence cap — receiver clamps incoming confidence to
min(incoming, peer.max_confidence_cap, 1.0); default cap 0.9 keeps
every peer-sourced entity strictly below a perfectly-trusted local
observation.
Backward compatible: every control is gated on `federation.tls.enabled`
(default false) and per-peer trust spec (default None). A v0.2.0 cluster
keeps working; flip the switches once every node is on v0.3.0.
CLI:
--federation-tls / ORP_FED_TLS
--federation-cert / ORP_FED_CERT
--federation-key / ORP_FED_KEY
--federation-ca / ORP_FED_CA
--federation-tls-listen / ORP_FED_TLS_LISTEN (default 0.0.0.0:9443)
--federation-signing-key / ORP_FED_SIGNING_KEY
--node-id / ORP_NODE_ID
Tests (18 new + 13 federation tests + 145 other orp-core tests pass):
- canonical JSON sorts object keys, preserves arrays
- seal/verify round trip
- verify rejects tampered payload, wrong key
- replay tracker rejects repeat/lower seq, separates peers
- timestamp skew rejected outside ±5 min
- pubkey decode accepts hex + base64, rejects wrong length
- confidence cap default + clamps to [0, 1]
- outbound seq monotonic per peer
- mTLS happy-path round trip
- mTLS rejects untrusted client cert (different CA)
- mTLS rejects plaintext client
- signed envelope + replay + confidence-cap end-to-end
Docs: docs/FEDERATION_TLS.md walks through threat model, rcgen + OpenSSL
cert generation, signing-key generation, config reference, and failure
modes operators should expect.
Gates: cargo fmt --all, cargo clippy -p orp-core --tests --bin orp -- -D
warnings, cargo test -p orp-core --bin orp (176 passed), cargo test -p
orp-security (3 passed) — all green.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Stand up a workspace-wide criterion bench harness covering the v0.3.0
hot paths called out in project_orp_perf_hotpath.md, and capture
post-v0.2.0 baseline numbers for regression tracking.
Added benches (all use Throughput::{Bytes,Elements} so output is
human-readable; runtime-generated fixtures so there's no on-disk data
drift):
- crates/orp-connector/benches/parsers.rs
* NMEA RMC/GGA/VTG (10k mixed sentences)
* AIS msg types 1, 4, 5, 9, 18, 27 (10k AIVDM frames) plus an
isolated 6-bit-decoder bench so we can spot regressions in the
bit-buffer separately from the NMEA framing
* CoT XML — typical ~1KB MIL-STD-2525 message x10k
* MAVLink v2 HEARTBEAT + GLOBAL_POSITION_INT decode x10k
* GRIB Section 7 unpack (template 5.0, 16-bit packed) x10k
- crates/orp-storage/benches/duckdb_writes.rs
* single-thread 1k entities x 3 props
* 4-thread concurrent 1k entities x 3 props (exposes the
Mutex<Connection> serialisation hot path)
* 100 entities x 10 props (exposes the per-property INSERT loop)
- crates/orp-storage/benches/duckdb_queries.rs
* point lookup by entity_id against a 100k-row dataset
(1M with ORP_BENCH_LARGE=1)
* type-filtered range query w/ LIMIT 1000
* 50 km haversine radius query
- crates/orp-stream/benches/dlq.rs
* 10k DLQ enqueues, 10k drains, 4-producer/4-drainer concurrent
- crates/orp-stream/benches/processor.rs
* end-to-end pipeline: dedup -> sign -> buffer -> DuckDB flush
(1k position events, NullScorer)
- crates/orp-query/benches/qparse.rs
* 100 representative ORP-QL queries spanning simple/aggregate/
relationship/geo/conjunction shapes
Wiring:
- workspace dev-dep entries for criterion 0.5 + tempfile 3 in the
root Cargo.toml so each crate pulls them via { workspace = true }
- per-crate [[bench]] entries with harness = false
- orp-testbed switched to the workspace dev-deps for consistency
- README.md gets a top-level "Benchmarks" pointer
- docs/BENCHES.md — how to run, when to run, regression policy
(10% threshold), and how to add a new bench
- benches/baseline.md — post-v0.2.0 quick-mode parser numbers
(NMEA 78 MiB/s, AIS 57 MiB/s, CoT 167 MiB/s, MAVLink 136 MiB/s,
GRIB Sec.7 718 MiB/s on Apple M-series) plus a "what's expected
to be slow today" section pointing at the three known unlocks
Drive-by lint fixes from clippy 1.91 (else-if-collapsible,
neg-multiply, unused-variable) — none of these were caught before
because the workspace was not previously building --benches under
-D warnings, but with the new bench wiring all targets must pass.
cargo fmt && cargo clippy --all --all-features --benches -- -D warnings
&& cargo build --benches --workspace are all green.
cargo bench -p orp-connector --bench parsers -- --quick produces the
baseline numbers above on the first run; second run shows the
no-change confirmation criterion's regression detector emits.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…MemoryKeyStore + bootstrap-admin-key
…replay protection + per-peer confidence cap (military ship-blocker closed) # Conflicts: # crates/orp-core/Cargo.toml # crates/orp-core/src/cli/args.rs # crates/orp-core/src/cli/commands.rs # crates/orp-core/src/main.rs
…TS + orp gen-cert (military ship-blocker closed) # Conflicts: # crates/orp-core/src/cli/args.rs # crates/orp-core/src/cli/commands.rs # crates/orp-core/src/main.rs # crates/orp-core/src/server/http.rs # crates/orp-core/src/server/notifications.rs
… + multi-IdP routing (military ship-blocker closed)
…e, PHC strings, OWASP-2023 floor # Conflicts: # crates/orp-core/src/server/notifications.rs
…alidator, federation_tls field Conflict-resolution leftovers from F1+F3+F4 merges: - orp-core/Cargo.toml had duplicate rustls/rustls-pemfile/axum-server/rcgen entries (F1's workspace= and F3's explicit version both landed). Kept F3's explicit specs since they're self-contained. - websocket.rs + commands.rs constructors of AuthState needed the new oidc_validator: None field that F4 added to the struct. - commands.rs line 875 used federation_tls_enabled (bool) where ServerConfig.federation_tls expects FederationTlsConfig (struct). Switched to the federation_tls variable already constructed above. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…/stream/query + post-v0.2.0 baseline # Conflicts: # Cargo.toml # crates/orp-core/src/server/notifications.rs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Twelve hardening streams integrated; all three Critical findings from the cryptography audit closed. Structurally military-deployable for the first time.
Implementation streams (12)
orp doctorpreflight, QUICKSTART/RECIPES/CONFIG.md, 4 runnable examples, 7 doctor testsorp-security::url_safety), retry ±25% jitter, per-channel circuit breaker (5/5min), VecDeque-bounded audit logPersistentAuditLogwith Ed25519 chain replay,audit verify+audit exportCLI, 22 new testsClaimspropagated throughhandle_socket(was hardcoded"ws-client"+["admin"]), ABAC sees real identity, send-timeout, 8 unit teststokio::fsasync load, trigram-narrowed fuzzy match (HashSet index, was linear scan)KeyStoretrait + DuckDb persistence, OWASP-2023 Argon2id (m=19MiB, t=2, p=1),--bootstrap-admin-key, 13 testsaxum-server::tls_rustlsreplacing plainaxum::serve, optional mTLS via--tls-client-ca, HSTS,orp gen-certvia rcgen,docs/TLS.md. Closes audit Criticaljwks_uri(RS256+ES256), multi-IdP routing byiss, JWKS TTL cache + refresh-on-kid-miss, HS256 backward-compat for legacy API tokens,docs/OIDC.md. Closes audit CriticalOsRngfor both CSRF state and password salts (wasthread_rng), Argon2id PHC (was unsalted SHA-256), 5 testsdocs/BENCHES.mdSurgical fixes
fix(audit): route ingest through AuditLogger trait— closes ingest.rs:363 duplicate-PK collision after B's refactorfix(doctor): 7 clippy errors in I's doc commentschore(gitignore): exclude macOS ._* resource-fork filesfix: integration patches— dedup rustls/axum-server entries, AuthState.oidc_validator field, federation_tls field type from F1+F3+F4 conflict resolutionTest counts
Test plan
cargo fmt --all -- --check— cleancargo clippy --all --all-features -- -D warnings— cleancargo check --workspace --all-features --tests— cleanDeferred to follow-up PRs (4 streams)
🤖 Generated with Claude Code