feat: delegation chains, session traces, TUI polish#67
Merged
Conversation
Delegation chain binding: - Multi-hop delegation tokens with cryptographic chain verification - VerifyChain() validates signature, expiry, scope narrowing, depth, parent linkage, and continuity across N hops - X-Oktsec-Delegation header support in gateway middleware - delegation_chain_hash persisted in audit trail - CLI: oktsec delegate command for creating signed tokens Reasoning chain capture: - ToolEvent extended with reasoning, reasoning_hash, plan_step fields - reasoning_log table (separate from audit_log for large data) - LogReasoning/QueryReasoningBySession/QueryReasoningByAuditID methods - SessionTrace builder reconstructs tool call timelines per session - QueryOpts.SessionID filter for session-scoped queries Ephemeral identity: - EphemeralKeyStore: in-memory task-scoped Ed25519 keys with auto-eviction - Issue/Verify/Revoke/RevokeByTask lifecycle management - MaxPerTask and MaxTTL caps prevent key sprawl - EphemeralConfig in identity configuration
Dashboard:
- Session Trace page (/dashboard/sessions/{id}) with vertical timeline,
reasoning bubbles, threat highlighting, duration stats
- Event detail sidebar converted to tabs: Overview, Content, Forensics
- Authorization section shows delegation chain or "Direct" with
registered-by and registration date
- Session column in events table with clickable links to trace
- SSE dynamic rows include session, latency, and rules columns
Exports:
- CSV export with session metadata header and step-by-step table
- SARIF 2.1.0 export for compliance tools (GitHub Security, Azure DevOps)
- JSON export for programmatic integration
Data model:
- delegation_chain column persists human-readable chain summary
- Timestamp parsing handles RFC3339Nano for duration calculation
- SessionID filter in QueryOpts for session-scoped queries
Pass live config pointer to TUI so it reads RequireSignature on each render tick instead of using the initial value.
- Extract auditSelectCols constant to deduplicate SQL column lists - Add OrderASC to QueryOpts, remove in-memory array reversal in trace - Extract removeTaskFingerprint helper in ephemeral key store - Fix struct field alignment in audit Entry and config map literals - Add SetAuditStore to share single store between proxy and gateway - Count rejected events as blocked in TUI, shorten quarantine label
059016d to
20b85df
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
delegateCLI command.Changed packages
audit,config,dashboard,gateway,hooks,identity,tui,verdict,commandsTest plan
make buildpassesmake testpasses (all packages, race detector)make lintpasses (0 issues)