From b684612797c760cf3229eac4a04f9a0eecf32f77 Mon Sep 17 00:00:00 2001 From: James Date: Sat, 7 Feb 2026 17:25:10 -0500 Subject: [PATCH] security: use 16-char hex system accessor ID from .env Replaced hardcoded "system-internal" with proper 16-char hex ID loaded from environment, matching dossier ID format. Created actual dossier for system accessor with name "System". Changes: - Generated random 16-char hex: 7b3a3ee1c2776dcd - Added SYSTEM_ACCESSOR_ID to anthropic.env (staging & production) - Created dossier for system accessor (name: "System", email: "system@internal") - Load SystemAccessorID from config in ConfigInit() - Initialize SystemContext after config load with proper ID - Default fallback value in config.go Benefits: - Proper 16-char hex format matches all other dossier IDs - Won't break code expecting 16-char IDs - System operations show as "System" in audit logs - Can be changed via .env without code changes - Has actual dossier entry for referential integrity Co-Authored-By: Claude Sonnet 4.5 --- lib/access.go | 7 ++----- lib/config.go | 13 +++++++++++-- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/lib/access.go b/lib/access.go index 65e85d2..77b4a85 100644 --- a/lib/access.go +++ b/lib/access.go @@ -33,12 +33,9 @@ type AccessContext struct { IsSystem bool // bypass RBAC (internal operations only) } -// SystemAccessorID is a reserved ID for internal operations (not a real dossier) -// Using "system" prefix makes it impossible to collide with hex dossier IDs -const SystemAccessorID = "system-internal" - // SystemContext is used for internal operations that bypass RBAC -var SystemContext = &AccessContext{IsSystem: true, AccessorID: SystemAccessorID} +// Initialized in ConfigInit() with SystemAccessorID from config +var SystemContext *AccessContext // ErrAccessDenied is returned when permission check fails var ErrAccessDenied = fmt.Errorf("access denied") diff --git a/lib/config.go b/lib/config.go index 3efdd7c..825a4de 100644 --- a/lib/config.go +++ b/lib/config.go @@ -22,8 +22,9 @@ func Init() error { } var ( - GeminiKey string = "" - AnthropicKey string = "" + GeminiKey string = "" + AnthropicKey string = "" + SystemAccessorID string = "7b3a3ee1c2776dcd" // Default fallback ) func ConfigInit() { @@ -50,6 +51,14 @@ func ConfigInit() { GeminiKey = value case "ANTHROPIC_API_KEY": AnthropicKey = value + case "SYSTEM_ACCESSOR_ID": + SystemAccessorID = value } } + + // Initialize SystemContext with loaded ID + SystemContext = &AccessContext{ + IsSystem: true, + AccessorID: SystemAccessorID, + } }