security: use 16-char hex system accessor ID from .env
Replaced hardcoded "system-internal" with proper 16-char hex ID loaded from environment, matching dossier ID format. Created actual dossier for system accessor with name "System". Changes: - Generated random 16-char hex: 7b3a3ee1c2776dcd - Added SYSTEM_ACCESSOR_ID to anthropic.env (staging & production) - Created dossier for system accessor (name: "System", email: "system@internal") - Load SystemAccessorID from config in ConfigInit() - Initialize SystemContext after config load with proper ID - Default fallback value in config.go Benefits: - Proper 16-char hex format matches all other dossier IDs - Won't break code expecting 16-char IDs - System operations show as "System" in audit logs - Can be changed via .env without code changes - Has actual dossier entry for referential integrity Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
James
parent
45a6445c3b
commit
b684612797
|
|
@ -33,12 +33,9 @@ type AccessContext struct {
|
||||||
IsSystem bool // bypass RBAC (internal operations only)
|
IsSystem bool // bypass RBAC (internal operations only)
|
||||||
}
|
}
|
||||||
|
|
||||||
// SystemAccessorID is a reserved ID for internal operations (not a real dossier)
|
|
||||||
// Using "system" prefix makes it impossible to collide with hex dossier IDs
|
|
||||||
const SystemAccessorID = "system-internal"
|
|
||||||
|
|
||||||
// SystemContext is used for internal operations that bypass RBAC
|
// SystemContext is used for internal operations that bypass RBAC
|
||||||
var SystemContext = &AccessContext{IsSystem: true, AccessorID: SystemAccessorID}
|
// Initialized in ConfigInit() with SystemAccessorID from config
|
||||||
|
var SystemContext *AccessContext
|
||||||
|
|
||||||
// ErrAccessDenied is returned when permission check fails
|
// ErrAccessDenied is returned when permission check fails
|
||||||
var ErrAccessDenied = fmt.Errorf("access denied")
|
var ErrAccessDenied = fmt.Errorf("access denied")
|
||||||
|
|
|
||||||
|
|
@ -24,6 +24,7 @@ func Init() error {
|
||||||
var (
|
var (
|
||||||
GeminiKey string = ""
|
GeminiKey string = ""
|
||||||
AnthropicKey string = ""
|
AnthropicKey string = ""
|
||||||
|
SystemAccessorID string = "7b3a3ee1c2776dcd" // Default fallback
|
||||||
)
|
)
|
||||||
|
|
||||||
func ConfigInit() {
|
func ConfigInit() {
|
||||||
|
|
@ -50,6 +51,14 @@ func ConfigInit() {
|
||||||
GeminiKey = value
|
GeminiKey = value
|
||||||
case "ANTHROPIC_API_KEY":
|
case "ANTHROPIC_API_KEY":
|
||||||
AnthropicKey = value
|
AnthropicKey = value
|
||||||
|
case "SYSTEM_ACCESSOR_ID":
|
||||||
|
SystemAccessorID = value
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Initialize SystemContext with loaded ID
|
||||||
|
SystemContext = &AccessContext{
|
||||||
|
IsSystem: true,
|
||||||
|
AccessorID: SystemAccessorID,
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue