Skip to content

Improve IAM token session assurance#1550

Open
wowsofine wants to merge 1 commit into
UnitOneAI:mainfrom
wowsofine:improve/iam-token-session-assurance
Open

Improve IAM token session assurance#1550
wowsofine wants to merge 1 commit into
UnitOneAI:mainfrom
wowsofine:improve/iam-token-session-assurance

Conversation

@wowsofine
Copy link
Copy Markdown

@wowsofine wowsofine commented Jun 6, 2026

Pull Request Checklist

  • Skill follows the format specification in CONTRIBUTING.md
  • At least one real framework is cited with correct control IDs
  • Framework references align with existing iam-review references
  • Prompt Injection Safety Notice section retained
  • injection-hardened: true remains set in frontmatter
  • allowed-tools remains scoped to read-only assessment tools
  • Tested locally with Codex against the iam-review skill content and fixtures
  • No prohibited patterns found in the changed iam-review files
  • index.yaml update is not required because this updates an existing skill

What This PR Does

Addresses #1522 by adding a focused Token and Session Assurance gate to iam-review.

The change adds:

  • Step 2A: Token and Session Assurance
  • IAM-TOKEN-01 through IAM-TOKEN-08
  • evidence requirements for device-code flow controls, MFA fatigue / number matching, sign-in risk policy mode, refresh-token revocation, CAE resource coverage, session lifetime, legacy auth / OAuth grant bypass, and post-revocation validation
  • output requirements for grant type, MFA assurance, risk policy mode, refresh-token revocation timestamp, session invalidation timestamp, CAE-covered resources, post-revocation test result, evidence owner, and next validation date
  • one vulnerable fixture for device-code MFA fatigue with persistent tokens
  • one benign fixture for phishing-resistant MFA with token revocation proof

Framework References

  • NIST SP 800-63B Section 5.2.3 reauthentication and AAL2/AAL3 authenticator assurance guidance
  • NIST SP 800-207 Tenet 3 per-session access and Tenet 6 dynamic authentication / authorization enforcement
  • CIS Controls v8 Control 6.3, 6.4, and 6.7

Testing

  • Red check before implementation: rg -n "IAM-TOKEN-" skills/identity/iam-review/SKILL.md returned exit code 1
  • git diff --check
  • marker check for IAM-TOKEN-*, Token and Session Assurance, device-code, refresh-token, number matching, CAE resource, and post-revocation evidence
  • frontmatter required-field check across skills/**/SKILL.md and roles/**/SKILL.md
  • prompt-injection pattern scan across the changed iam-review files; matches were the existing safety boundary text only

Bounty Note

Requesting Skill Improvement bounty consideration for the #1522 implementation. Payment details can be provided privately after maintainer acceptance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wowsofine