feat!: implement secure v4 session architecture#43
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 544095300e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Co-Authored-By: Claude <noreply@anthropic.com>
f3dec2c to
434b127
Compare
|
Latest remediation is available in
Observed verification before push: focused module suites passed; all non-Redis project checks, sample tests, formatting, publication POM generation, and Java ABI inspection passed. Current-head GitHub CI is being monitored. |
Co-Authored-By: Claude <noreply@anthropic.com>
Summary
Implements the phased remediation recommended by
.qp/reports/ogiri_deep_audit_2026-07-10.htmlas a deliberate breaking v4 release.ogiri-session-core, publicogiri-testfixtures, and anogiri-bomBreaking changes
4.0.0ogiri.session.enabled=true, select exactly one transport, provide aSessionStore, and composeOgiriHttpConfigurerinto the chain that owns authorizationAudit disposition
All 40 report findings were re-checked against the audited revision and addressed through the report's dependency-ordered Gate 0 security, Gate 1 hardening, Gate 2 v4 core, and Gate 3 product recommendations. Regression coverage includes fixed rotation grace, replay bounds, atomic concurrent rotation and maximum-session admission, parent-bound child renewal, transaction rollback/post-commit behavior, secure chain routing, cookie CSRF behavior, strict bearer parsing, endpoint management, JPA starter behavior, Redis rate limiting, Java consumer compilation, cleanup leases, metrics, and error taxonomy.
Verification
./gradlew spotlessApply check generatePomFileForMavenJavaPublication— passed./gradlew check dependencyCheckAnalyze generatePomFileForMavenJavaPublication— passed; 206 tasks, OWASP scan reported 0 vulnerabilitiesogiri-corePOM reports version4.0.0ori— 0 findings after addressing its stale-current-session and executor-lifecycle findingsDependency security
3.5.1612.2.2, scansruntimeClasspath, fails at CVSS 7.0, and rejects unused suppressions2026-10-01: Kotlin CVEs that affect compiler/build-cache behavior but are falsely matched to runtime-onlykotlin-stdlib/kotlin-reflect; its note requires removal once stable Kotlin 2.4.20 is compatible