v7: Admin defederation kill-switch — sever a malicious/compromised instance #61
Labels
No labels
bug
duplicate
enhancement
future
help wanted
invalid
question
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
rbrooks/TeaLeaves#61
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Safety counterpart to the v7 cross-instance write path (#9 / #10 / #12). Once an instance can be invited to write into a host project, an admin needs a fast, admin-only way to sever trust with an instance that turns out to be malicious or compromised — and clean up its footprint.
Not part of the host-inbound first pass (we're shipping #9/#10/#11/#12 first, validated with a signing test harness). Tracked here so it isn't lost; build it as a fast-follow once the write path lands.
Scope (admin-only,
requireAdmin)Builds on #12 (
remote_actor_url,remote_contributions) and #10 (inbox authorization).federated_instances.enabled=falsegates discovery. Add a distinct blocked state that rejects all inbound activities from that instance's host at the inbox, before signature/processing.project_collaboratorsrows whoseremote_actor_urlis hosted on the blocked instance.remote_contributionsfrom that instance's actors torejected; surface already-applied ones for owner review before any purge.user_id IS NULL+ attribution pointing at that host).Out of scope
Re-federation/recovery flows; per-actor (vs per-instance) blocking — instance-level is enough for the kill-switch.
Filed as a planned fast-follow during v7 planning (host-inbound-first scope decision).