Skip to content

Harden multitenant gateway#1

Draft
yuanyuanac wants to merge 1 commit into
aurora-develop:mainfrom
yuanyuanac:agent/secure-multitenant-gateway
Draft

Harden multitenant gateway#1
yuanyuanac wants to merge 1 commit into
aurora-develop:mainfrom
yuanyuanac:agent/secure-multitenant-gateway

Conversation

@yuanyuanac

Copy link
Copy Markdown

What changed

  • separate downstream proxy API keys from server-side Claude browser credentials
  • bind each authenticated tenant to one upstream credential and isolate persistent conversations by tenant
  • add per-tenant rate limits, request-size limits, request IDs, redacted logging/recovery/errors, capacity limits, idle TTL, and safe lifecycle cleanup
  • add key generation, protected tenant-file configuration, security guidance, safer Docker defaults, and least-privilege CI
  • upgrade Go and affected modules to versions that clear the reachable vulnerability scan

Why

The previous gateway could not safely distinguish downstream callers from upstream browser sessions and lacked tenant isolation and bounded request/session controls. These changes make the branch reviewable for controlled local/private-network testing without introducing real credentials or production integration.

Impact

Existing deployments must generate a downstream c2a_ key and configure its SHA-256 digest. Multi-tenant deployments must use a protected TENANTS_FILE with one distinct upstream credential per tenant. The default bind address remains loopback; Docker Compose publishes to 127.0.0.1 by default.

Validation

  • git diff --check
  • go mod verify
  • go mod tidy -diff
  • go test ./...
  • go vet ./...
  • go test -shuffle=on -count=10 ./...
  • Windows builds for the gateway and key generator
  • actionlint for the GitHub Actions workflow
  • govulncheck ./... (0 reachable vulnerabilities)
  • gitleaks dir . --redact (0 leaks)
  • synthetic loopback checks for health, authentication, browser-cookie rejection, 413 body limits, rate limiting, request IDs, cache controls, and retry headers

Docker image build was not run locally because Docker is not installed; the draft PR CI is expected to cover Linux race tests and image builds.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant