docs(architecture): ADR-0007 egress auth mechanism — edge-inject vs protocol-broker

[Yambr]

Decision

ADR-0007 selects the egress credential-attachment mechanism by upstream:

Upstream	Mechanism
Fixed-client low-granularity bearer (e.g. an LLM API)	edge-inject (egress-wide bump)
High-value credential scoped by rights (e.g. a PAT, object store, bank internal API)	protocol-broker

v1 ships edge-inject only. The protocol-broker mechanism is the existing Storage-broker zone, named and abstraction-ready, deferred for other upstreams. Injecting user PATs through the egress edge is recorded as an explicit anti-example.

Egress posture model

• Posture is a ladder by need, not a two-mode switch: deny-all / transparent pass-through (no CA) / egress-wide bump / external SDS source. Bump is the default only when an upstream credential is configured, so the one-click solo path holds at every rung; the per-deployment CA is auto-generated and its public cert auto-injected into the sandbox trust store at start.
• Substrate = Envoy data plane + a self-hosted SDS minting service (per-SNI leaf from the per-deployment CA). A config-time-enumerable allow-list uses pre-minted leaves over a file SDS source instead — no dynamic minter. Vanilla Envoy alone does not mint leaves on the fly; mitmproxy/Squid are rejected-as-default for dropping the Envoy data plane (recorded in the BoM).
• Injection gate is a scoped credential the request presents, never network origin (tightens threat-model P6-E2; the "inject because traffic came from sandbox X" anti-pattern is named).
• Correction: the guest holds no long-lived upstream secret but may carry a short-lived session-scoped handle — replaces the prior categorical "guest holds nothing / sends an unauthenticated request".

Scope

New: adr/0007-egress-auth-mechanism.md. Propagated across §7 trust-boundaries, NFRs (FLEX-15, SEC-05/17/23/27/37/50/57/73), the threat model + diagram, component-06 / component-05 / 00-overview, glossary, c4 container & context, 08-contracts, the trust-zone diagram, ADR-0005/0006 forward-refs, the BoM, and the primitives backlog. 20 files.

Verification

• Doc linters (front-matter, wc-budget, ai-slop, tree-whitelist, ascii-detector) + self-test 14/14 green locally.
• All relative cross-references resolve.
• The egress-auth model reads consistently across the 20 files: one rung vocabulary (egress-wide bump, not MITM mode), the delta-4/delta-5 invariants stated in the owning component spec, and ADR-0007 cross-referenced from every doc it governs.

🤖 Generated with Claude Code

[coderabbitai]

Walkthrough

This PR refactors egress architecture documentation by replacing a two-mode egress model (transparent vs MITM-inspecting) with a rung-based posture ladder. It introduces ADR-0007 for edge-inject credential attachment via Envoy SDS and updates all trust-boundary, threat-model, component, and security requirements documentation to use consistent "bump rung" terminology and clarify that guests never hold real upstream secrets.

Changes

Egress Posture Ladder & Edge-Inject Authentication Mechanism

Layer / File(s)	Summary
Egress Posture Ladder Foundation docs/architecture/02-trust-boundaries.md, docs/architecture/glossary.md, docs/architecture/04-bounded-contexts.md, docs/architecture/03-c4-context.md	§7 "Egress posture" refactored from two-mode (transparent vs MITM-inspecting) to rung-ladder (deny-all, transparent pass-through, egress-wide bump, external SDS source). Bump rung is default only when upstream credential configured. DLP-ICAP repositioned as bump-rung configuration. Credential injection keyed to presented scoped credential, requiring edge-originated upstream connection.
ADR-0007: Edge-Inject Authentication Mechanism docs/architecture/adr/0007-egress-auth-mechanism.md, docs/architecture/adr/README.md, docs/architecture/adr/0006-egress-forward-proxy-substrate.md, docs/architecture/adr/0005-egress-credential-delivery-envoy-sds.md	Introduces ADR-0007 specifying v1 edge-inject: TLS termination with on-demand per-SNI leaf certificates minted via self-hosted SDS from per-deployment CA; upstream Authorization injection gated on presented scoped credential (not network origin); protocol-broker deferred to future. Updates ADR-0006 scope (MITM termination now decided in ADR-0007) and ADR-0005 to reference per-upstream mechanism selection.
Trust Boundary & Threat Model Alignment docs/architecture/06-threat-model.md, docs/architecture/diagrams/02-trust-boundaries.mmd, docs/architecture/diagrams/06-threat-model.mmd	Replaces "MITM mode" terminology with "egress-wide-bump rung" in threat descriptions; clarifies credential delivery via Envoy SDS at bump rung; expands live-threat coverage for transparent-mode exfiltration and repudiation/accountability; updates diagram edge labels for SDS lifecycle (mint/rotate/revoke) and credential gating (presented scoped credential → edge inject); adjusts PEND node tracked NFRs.
Egress Trust-Edge Component & Contracts docs/architecture/05-c4-container.md, docs/architecture/components/06-egress-trust-edge.md, docs/architecture/08-contracts.md, docs/architecture/diagrams/c4-container.mmd	Container description specifies injection only on bump-rung legs (excluding transparent/deny-all); clarifies per-upstream mechanism selection; defines three internal faces (sandbox listener, upstream originator, audit emitter); specifies SDS minter as OCU code; tightens invariants around allow-list gating, deny-reason structure, and credential invisibility to guest; updates threat-model rows and open questions to reflect bump-rung framing; updates contract ownership for secret delivery (per-SNI minter is self-hosted OCU).
Security & Flexibility NFRs Aligned to Rung Ladder docs/architecture/manifesto/02-nfrs.md, docs/architecture/manifesto/05-licensing-posture.md, docs/architecture/primitives-backlog.md	Updates trust-boundary framing from network-bound egress identity to network-bound egress route; NFR-SEC-05 specifies per-deployment CA injection at bump rung; NFR-SEC-23 emphasizes guest never holds real upstream secret (only session-scoped handles allowed); NFR-SEC-37 scopes plaintext exceptions to bump rung (absent from transparent/deny-all); new NFR-SEC-50 specifies edge re-origination for credential attachment only at bump rung; NFR-SEC-57 ties exfil tripwire to rung tier; NFR-SEC-73 enforces broker-side downloadable denial regardless of rung; NFR-FLEX-15 defines ladder rungs with DLP-ICAP as bump-rung configuration; adds mitmproxy/Squid ssl-bump rejection with ADR-0007 reference.
Component Context & Session Integration docs/architecture/components/00-overview.md, docs/architecture/components/05-session-sandbox.md	Egress trust-edge component table populated with ADR bindings (0005, 0006, 0007); maturation-order language updated to reference egress-wide-bump behavior and ADR-0007 edge-inject commitment; session-sandbox egress leg clarified as carrying no long-lived upstream secret with SDS-sourced credentials injected at edge on presented scoped credential; threat-row P5-I3 updated to shift deep content inspection from opt-in MITM leg to egress-wide-bump leg.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related issues

• Wide-Moat/open-computer-use#160: Updated documentation removes network-bound egress-identity framing and replaces it with edge-originated credential injection keyed to presented scoped credentials, directly addressing the session-binding concern (netns vs mTLS-SVID vs source-IP vs vsock).

Possibly related PRs

• Wide-Moat/open-computer-use#228: Both PRs refine ADR-0006's scope in relation to the egress-wide-bump/rung-ladder model decision hierarchy.
• Wide-Moat/open-computer-use#196: Both PRs update Layer-7 egress threat modeling—docs(architecture): Layer 7 — STRIDE threat model on the container DFD #196 adds STRIDE container diagram, main PR updates threat-row terminology to align with egress-wide-bump rung semantics.
• Wide-Moat/open-computer-use#200: Both PRs align egress security NFRs (SEC-50 upstream credential edge re-origination, SEC-57 exfil tripwire across postures) with the rung-ladder model.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: introduction of ADR-0007 documenting the egress authentication mechanism decision between edge-inject and protocol-broker approaches.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/adr-0007-egress-auth-mechanism

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/architecture/adr/0007-egress-auth-mechanism.md`:
- Around line 1-2: Replace the existing SPDX header lines that read
"SPDX-License-Identifier: FSL-1.1-Apache-2.0" and the accompanying copyright
comment with the required new-file header: add a top-of-file comment line "#
SPDX-License-Identifier: BUSL-1.1" and a following copyright comment "#
Copyright (c) 2025 Open Computer Use Contributors"; update the header in the ADR
file that currently contains "FSL-1.1-Apache-2.0" so the file conforms to the
mandated new source file license format.

In `@docs/architecture/components/06-egress-trust-edge.md`:
- Line 37: The doc's statement that "the edge receives the credential from SDS
at injection time... and drops it after the connection terminates; it holds no
credential at rest" is inaccurate for Envoy SDS; revise the phrasing around the
"edge receives the credential from SDS..." sentence and the other referenced
lines to say that secrets are "SDS-managed in-process secret state" (kept in
Envoy process memory via SDS subscription/push) rather than asserting
per-connection fetch-and-drop or absolute "no credential at rest" guarantees,
and explicitly note that on-demand fetching is conditional/configurable rather
than default.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 0257dc41-7398-483c-8104-97375ad976c8

📥 Commits

Reviewing files that changed from the base of the PR and between d719334 and 2147a7b.

📒 Files selected for processing (20)

• docs/architecture/02-trust-boundaries.md
• docs/architecture/03-c4-context.md
• docs/architecture/04-bounded-contexts.md
• docs/architecture/05-c4-container.md
• docs/architecture/06-threat-model.md
• docs/architecture/08-contracts.md
• docs/architecture/adr/0005-egress-credential-delivery-envoy-sds.md
• docs/architecture/adr/0006-egress-forward-proxy-substrate.md
• docs/architecture/adr/0007-egress-auth-mechanism.md
• docs/architecture/adr/README.md
• docs/architecture/components/00-overview.md
• docs/architecture/components/05-session-sandbox.md
• docs/architecture/components/06-egress-trust-edge.md
• docs/architecture/diagrams/02-trust-boundaries.mmd
• docs/architecture/diagrams/06-threat-model.mmd
• docs/architecture/diagrams/c4-container.mmd
• docs/architecture/glossary.md
• docs/architecture/manifesto/02-nfrs.md
• docs/architecture/manifesto/05-licensing-posture.md
• docs/architecture/primitives-backlog.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Update SPDX header to match the required new-file license format.

This new file uses FSL-1.1-Apache-2.0, but the review guideline requires # SPDX-License-Identifier: BUSL-1.1 and # Copyright (c) 2025 Open Computer Use Contributors for new source files.

As per coding guidelines, **/*: “All other new source files MUST include SPDX license header: # SPDX-License-Identifier: BUSL-1.1 with # Copyright (c) 2025 Open Computer Use Contributors”.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/architecture/adr/0007-egress-auth-mechanism.md` around lines 1 - 2,
Replace the existing SPDX header lines that read "SPDX-License-Identifier:
FSL-1.1-Apache-2.0" and the accompanying copyright comment with the required
new-file header: add a top-of-file comment line "# SPDX-License-Identifier:
BUSL-1.1" and a following copyright comment "# Copyright (c) 2025 Open Computer
Use Contributors"; update the header in the ADR file that currently contains
"FSL-1.1-Apache-2.0" so the file conforms to the mandated new source file
license format.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

For Envoy SDS and HTTP credential injection, does Envoy cache SDS-delivered secrets in process memory between requests/connections, or fetch them strictly at injection time per request? Please cite Envoy official docs.

💡 Result:

Envoy behavior for SDS-delivered secrets (including those used by the HTTP credential injector): Envoy establishes an SDS subscription and keeps the resulting secret material in its process memory; it does not “fetch strictly at injection time per request” when the secret is already present. For TLS, Envoy explicitly supports both “warm/prefetch via SDS subscription” and “on-demand” fetching only when configured or when the secret is not already present. 1) SDS is a push/subscription mechanism and secrets are applied without needing per-request re-fetch Envoy’s SDS documentation describes SDS as a mechanism where an SDS server “will push certificates to all Envoy instances” and “Envoy will use the new ones right away without re-deployment” [1]. This implies the dataplane holds and updates the secret state in memory as SDS updates arrive, rather than doing a fresh remote fetch on every request. 2) By default, Envoy does SDS fetching ahead of traffic (not on each request) The SDS docs state: “By default SDS certificate fetching blocks initialization of the listeners and the clusters that reference them.” [2] That is, Envoy waits for the required SDS-delivered secrets to be available before serving traffic, which again indicates secrets are not re-fetched per connection/request. 3) On-demand behavior exists, but it is conditional/configured (i.e., not the default) Envoy also documents an on-demand mode for TLS: “Envoy provides an on-demand certificate selector that pauses the TLS handshake to issue an SDS request for a certificate if not present, and then continues the handshake after receiving the response.” [1][3]. The on-demand selector is explicitly described as “Fetches the secret on-demand while allowing the parent cluster or listener to accept connections without warming… During the handshake… an SDS resource request starts, and the handshake is paused… Once an SDS response is received… the handshake is resumed…” [4]. So, per-request fetching happens only in the on-demand/certificate-missing case, not as a general “always fetch at injection time.” 4) HTTP credential injector uses configured credential sources; the official filter docs do not indicate per-request SDS fetching semantics The Envoy CredentialInjector filter description says “The filter is configured with one of the following supported credential_injector extensions. Extensions are responsible for fetching the credentials from the source. The credentials obtained are then injected into the Authorization header…” [5]. The (proto) docs for the credential injector also describe that SDS can be used for credential configuration (example shows sds_config under the injected credential) [6]. However, the official credential injector documentation does not state that SDS-sourced credentials are fetched anew for every request; instead, SDS overall is designed to push/update secret material (see #1 and #2). Therefore, with SDS-backed injected credentials, the expected model is “SDS updates secret state in the Envoy process, then injection uses the current in-process secret,” unless a specifically configured on-demand mechanism is used. Answer to the question For Envoy SDS and HTTP credential injection, Envoy caches (maintains) SDS-delivered secrets in process memory between requests/connections via SDS subscription/update semantics, rather than fetching strictly at injection time per request in the default case [1][2]. Strict per-request fetching happens only when you configure an on-demand SDS flow such that Envoy must request the secret during a handshake/injection because it is not present (“if not present”) [1][3][4].

Citations:

• 1: https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret.html
• 2: https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret
• 3: https://www.envoyproxy.io/docs/envoy/v1.27.5/configuration/security/secret
• 4: proposal: a new light extension to load certificates through SDS on-demand envoyproxy/envoy#30600
• 5: https://spiffe.io/docs/latest/microservices/envoy/
• 6: https://dev.to/jamesli/xds-protocol-deep-dive-the-universal-control-plane-api-behind-envoy-and-istio-2de9

---

Reword edge credential-lifecycle claims to avoid unsupported “no credential at rest / fetch-drop” guarantees with Envoy SDS

The wording implies per-connection fetch-and-drop semantics and “no credential at rest” in the edge. Envoy’s SDS model is subscription/push and keeps SDS-delivered secret material in Envoy process memory (with on-demand fetching only as a conditional/configured path when the secret is missing). Update the doc to reflect “SDS-managed in-process secret state” and avoid absolute guarantees about not holding credentials outside the connection lifetime (apply to the same wording at the other referenced lines).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/architecture/components/06-egress-trust-edge.md` at line 37, The doc's
statement that "the edge receives the credential from SDS at injection time...
and drops it after the connection terminates; it holds no credential at rest" is
inaccurate for Envoy SDS; revise the phrasing around the "edge receives the
credential from SDS..." sentence and the other referenced lines to say that
secrets are "SDS-managed in-process secret state" (kept in Envoy process memory
via SDS subscription/push) rather than asserting per-connection fetch-and-drop
or absolute "no credential at rest" guarantees, and explicitly note that
on-demand fetching is conditional/configurable rather than default.