Skip to main content

The arc

Airlock replaces CASA’s independent BetterAuth as the single identity source across the devarno.cloud surface — hub, hubble, hatch, manual, pebble, ares, studio, web-app, landing. This campaign tracks the convergence from dual-truth to one gateway, and the verification programme proving the cutover is safe.

Status (2026-04-18)

  • Airlock serves hubble, hatch, pebble, ares, manual via cross-subdomain .devarno.cloud cookies. Family-hub (CASA) still runs its own BetterAuth — retirement is TASKSET 7.
  • Auth verification sweep (AV-TASKSET 1–8) complete: threat model, flow inventory, claim audit, instrumentation spec, contract harness, per-client registry, RBAC reconciliation, observability & decommission gate.
  • Three live findings surfaced (C1 forgeable default secret, C2 prod AUTH_DISABLED bypass, C5 WebSocket mid-session decay). Remediation is FU-TASKSET 0–3.

Verification artefacts

  • Threat model → atlas/findings/2026-04-18-auth-threat-model.md
  • Flow × hop matrix → atlas/findings/2026-04-18-auth-flow-hop-matrix.md
  • Claim audit (SDKs, chat-service, secrets) → atlas/findings/2026-04-18-auth-claim-audit.md
  • Instrumentation spec → atlas/findings/2026-04-18-auth-instrumentation-spec.md
  • Contract harness rollout readiness → atlas/findings/2026-04-18-auth-contract-rollout-readiness.md
  • RBAC reconciliation → atlas/findings/2026-04-18-auth-permissions-reconciliation.md
  • Decommission gate criteria → atlas/findings/2026-04-18-auth-decommission-gate.md

Path to cutover (FU-TASKSETs)

#WorkUnblocks
0C1 + C2 fail-closed guards (airlock boot, hubble/hatch middleware)Removes live exposure
1Airlock /api/admin/config-health endpointPreflight + RBAC generator
2Airlock-native SDK carved out of hubble/hatch inline patternSingle validation surface
3Per-service OTel rollout (all six services)Observability board signal
4Hatch-side RBAC snapshot generatorOngoing drift detection
5Staging seed + CI secret populationFirst green contract run
6This campaign restored and cross-linkedSingle entry point

Decommission gate

Five conditions, 72h soak on production traffic, per atlas/findings/2026-04-18-auth-decommission-gate.md:
  1. No AuthDisabledBypassInProd firings.
  2. No CookieScopeMisconfig firings.
  3. RevocationSlaBreach (p95 > 30s) clear.
  4. Instrumentation coverage ≥ 95% on the decommissioned flow.
  5. No InstrumentationRegressionMissingAttrs firings.
Soak clock resets on any violation. No partial credit.

What the cutover removes

  • Django auth-service (F6 only — smallest lever).
  • CASA BetterAuth (largest lever — F1/F2/F7/F8; 7-day soak recommended).
  • AUTH_DISABLED env bypass in hubble + hatch.
  • Legacy sdk-js / sdk-go Family Hub coupling.
  • Hubble’s local platform_credentials table (post-TASKSET 6 cutover).

Stakeholders

  • Engineering: airlock, hubble, hatch, family-hub maintainers execute FU-TASKSETs.
  • Ops: owns staging seed rotation and gate soak monitoring.
  • Product / Leadership: sets the TASKSET 7 cutover date — populates the expires_at field on family-hub’s dual-truth reconciliation entry.
Delayed decision here propagates: the comparator fails closed when DUAL_TRUTH entries pass their expiry.