Phase 3 Wave 1 Completion Record: Governance Server Enforcement
Date: 2026-01-05
Status: Wave 1 Complete
Components Secured: submitVote, castVoteAction, generateProxyFormAction, finance-ledger logic
1. Security Improvements Delivered
We have successfully introduced the Server-Side Context Guard (verifyContext) and applied it to the highest-risk Governance actions.
| Action | Previous Sec. | New Enforcement |
|---|---|---|
submitVote |
Implicit requireUser |
Strict Context: Requires Owner Hat AND explicit ownership of the Asset ID. Fails if Context mismatches claimed asset. |
castVoteAction |
Implicit requireUser |
Strict Context: Requires Owner Hat. Uses Context Asset ID directly. |
generateProxyForm |
Loose requireUser |
Strict Context: Fails if activeAssetId does not match the unit being proxied. |
postJournalEntry |
NONE (Critical Gap) | Patched: Now explicitly checks for admin or god role at entry. |
2. The Verification Guard
The new primitive lib/auth/guard.ts performs a real-time check against resolveAuthzSnapshot():
- Identity: Does user actually have the claimed Hat in the server snapshot?
- Asset: Does user actually own the claimed Asset ID in the server snapshot?
- Capability: Does user have 'can_vote'?
3. Verification Steps
- Ledger Patch: Verified code visually ensures
requireUseris called before any logic. - Voting Guard: Verified
verifyContextthrows ifsnapshot.availableHatsdoesn't include the claimed hat.
4. Next Steps (Wave 2)
- Apply
verifyContextto other critical modules (identity.ts). - Update Client-Side call sites to actually pass the
contextobject (currently the server actions expect it, but UI needs to be updated to send it). This is a required follow-up task.
Signed Off: Antigravity Agent