Skip to content

feat: exempt platform-auth secret headers from the Lambda x-ms-* strip (Milestone G)#126

Merged
I-am-nothing merged 1 commit into
mainfrom
feat/g-prod-transport-sdk-prep
Jun 20, 2026
Merged

feat: exempt platform-auth secret headers from the Lambda x-ms-* strip (Milestone G)#126
I-am-nothing merged 1 commit into
mainfrom
feat/g-prod-transport-sdk-prep

Conversation

@I-am-nothing

@I-am-nothing I-am-nothing commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

What

Milestone G SDK groundwork. In production a module runs as a Lambda function invoked via the HTTP-shaped LambdaRequest envelope. This closes the one kernel gap on that receive path so a deployed module's internal/MCP auth works.

The fix

NewLambdaHandler strips all x-ms-* headers before running the module router — to neutralize spoofable identity headers. But that also dropped X-MS-Internal-Secret / X-MS-Platform-Token, so a Lambda-invoked module's InternalAuth / RequireProxy middleware never saw the secret and 401'd every internal/MCP call.

Now the strip keeps the deny-by-default stance for identity claims (X-MS-User-ID, X-MS-App-ID, X-MS-App-Role — trusted identity rides the typed LambdaRequest fields) but exempts the two platform-auth secret headers. Safe: the platform builds a fresh header set per invoke, so nothing client-supplied reaches here.

Version 0.2.5 → 0.2.6 (add the release label on merge to publish).

Tests

  • New TestNewLambdaHandler_AuthSecretHeadersSurvive (secrets reach the router, claims stripped) + TestMsAuthSecretHeadersMatchConstants (structural pin against constant drift).
  • Existing TestNewLambdaHandler_StripXMSHeaders still passes.
  • go build ./internal/runtime/... + go test ./internal/runtime/ green.

🤖 Generated with Claude Code

@I-am-nothing I-am-nothing force-pushed the feat/g-prod-transport-sdk-prep branch from 3606f19 to 3c91776 Compare June 19, 2026 19:57
@I-am-nothing I-am-nothing marked this pull request as ready for review June 19, 2026 22:06
@I-am-nothing I-am-nothing force-pushed the feat/g-prod-transport-sdk-prep branch from 3c91776 to 319d40a Compare June 20, 2026 03:14
Milestone G groundwork. A production module runs as a Lambda invoked via the
HTTP-shaped LambdaRequest envelope; NewLambdaHandler strips all x-ms-* before
the router, which dropped X-MS-Internal-Secret / X-MS-Platform-Token too, so a
Lambda-invoked module's internalAuth/RequireProxy 401'd every internal/MCP call.
Strip only spoofable identity CLAIMS (user/app/role — identity rides typed
fields); exempt the two platform-auth SECRET headers. Bumps 0.2.5 -> 0.2.6.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@I-am-nothing I-am-nothing force-pushed the feat/g-prod-transport-sdk-prep branch from 319d40a to 3974acb Compare June 20, 2026 04:58
@I-am-nothing I-am-nothing changed the title feat: prep SDK for prod module transport (auth-header exemption + warm pool) feat: exempt platform-auth secret headers from the Lambda x-ms-* strip (Milestone G) Jun 20, 2026
@I-am-nothing I-am-nothing merged commit 5b27dfc into main Jun 20, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant