Skip to content

feat!: implement secure v4 session architecture#43

Open
mosobande wants to merge 6 commits into
orifrom
audit-remediation-v4
Open

feat!: implement secure v4 session architecture#43
mosobande wants to merge 6 commits into
orifrom
audit-remediation-v4

Conversation

@mosobande

Copy link
Copy Markdown
Collaborator

Summary

Implements the phased remediation recommended by .qp/reports/ogiri_deep_audit_2026-07-10.html as a deliberate breaking v4 release.

  • replaces mutable token-history behavior with a selector/verifier session state machine, immutable previous-token deadline, atomic rotation/admission commands, family reuse detection, and parent-bound child credentials
  • composes authentication and authorization in one consumer-selected Spring Security chain, with secure bearer/cookie/DTA transport profiles, account-state checks, session-bound logout, CSRF-safe cookie defaults, strict parsing, stable RFC 9457 errors, and post-commit response mutation
  • adds Java-friendly session APIs, named realms and opaque string subject identities, a persistence-neutral ogiri-session-core, public ogiri-test fixtures, and an ogiri-bom
  • provides the v4 JPA session store and canonical migration, guarded/clustered cleanup leases, a Redis distributed rate limiter, endpoint starter, management API, metrics, and health indicators
  • centralizes version resolution, publishes v4 metadata, pins GitHub Actions by commit, adds CodeQL, hardens release/snapshot module checks, and adds an OWASP dependency gate
  • replaces v3 quickstarts and operational/security/database guidance with the executable v4 contract, migration policy, support policy, security contact metadata, and ADR/context model

Breaking changes

  • release version is 4.0.0
  • session wire/storage semantics are replaced; existing v3 sessions are intentionally invalidated unless the documented dual-read migration is implemented by the consumer
  • applications now opt in with ogiri.session.enabled=true, select exactly one transport, provide a SessionStore, and compose OgiriHttpConfigurer into the chain that owns authorization
  • servlet, credential, persistence, and subject identity responsibilities are separated into the new core/application adapters

Audit disposition

All 40 report findings were re-checked against the audited revision and addressed through the report's dependency-ordered Gate 0 security, Gate 1 hardening, Gate 2 v4 core, and Gate 3 product recommendations. Regression coverage includes fixed rotation grace, replay bounds, atomic concurrent rotation and maximum-session admission, parent-bound child renewal, transaction rollback/post-commit behavior, secure chain routing, cookie CSRF behavior, strict bearer parsing, endpoint management, JPA starter behavior, Redis rate limiting, Java consumer compilation, cleanup leases, metrics, and error taxonomy.

Verification

  • ./gradlew spotlessApply check generatePomFileForMavenJavaPublication — passed
  • ./gradlew check dependencyCheckAnalyze generatePomFileForMavenJavaPublication — passed; 206 tasks, OWASP scan reported 0 vulnerabilities
  • generated ogiri-core POM reports version 4.0.0
  • CodeRabbit CLI review against ori0 findings after addressing its stale-current-session and executor-lifecycle findings

Dependency security

  • Spring Boot updated within the Java 17-compatible 3.5 line to 3.5.16
  • Jackson, Log4j bridge dependencies, and Tomcat receive current security patch overrides
  • Dependency-Check updated to 12.2.2, scans runtimeClasspath, fails at CVSS 7.0, and rejects unused suppressions
  • the only suppression is bounded until 2026-10-01: Kotlin CVEs that affect compiler/build-cache behavior but are falsely matched to runtime-only kotlin-stdlib/kotlin-reflect; its note requires removal once stable Kotlin 2.4.20 is compatible

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 544095300e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread ogiri-jpa/src/main/kotlin/com/quantipixels/ogiri/jpa/OgiriJpaSessionStore.kt Outdated
@mosobande
mosobande force-pushed the audit-remediation-v4 branch from f3dec2c to 434b127 Compare July 12, 2026 19:09
@mosobande

Copy link
Copy Markdown
Collaborator Author

Latest remediation is available in 434b127:

  • closes the stale-authentication, Java API, credential-redaction, endpoint auto-configuration/base-path, and clustered-cleanup findings
  • adds focused Java, Spring consumer, JPA concurrency, and cleanup renewal regression coverage
  • streamlines the README around features, modules, installation, minimal configuration, and links to the detailed guides
  • keeps the local HTML session report out of Git history

Observed verification before push: focused module suites passed; all non-Redis project checks, sample tests, formatting, publication POM generation, and Java ABI inspection passed. Current-head GitHub CI is being monitored.

Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants