v7: Admin defederation kill-switch — sever a malicious/compromised instance #61

Closed
opened 2026-06-29 20:28:53 +00:00 by claude-bot · 0 comments
Contributor

Safety counterpart to the v7 cross-instance write path (#9 / #10 / #12). Once an instance can be invited to write into a host project, an admin needs a fast, admin-only way to sever trust with an instance that turns out to be malicious or compromised — and clean up its footprint.

Not part of the host-inbound first pass (we're shipping #9/#10/#11/#12 first, validated with a signing test harness). Tracked here so it isn't lost; build it as a fast-follow once the write path lands.

Scope (admin-only, requireAdmin)

Builds on #12 (remote_actor_url, remote_contributions) and #10 (inbox authorization).

  • Hard block, not just disable. Today federated_instances.enabled=false gates discovery. Add a distinct blocked state that rejects all inbound activities from that instance's host at the inbox, before signature/processing.
  • Revoke remote editors. Remove all project_collaborators rows whose remote_actor_url is hosted on the blocked instance.
  • Quarantine its contributions. Set pending/conflict remote_contributions from that instance's actors to rejected; surface already-applied ones for owner review before any purge.
  • Purge / anonymize option. Allow the admin to purge or anonymize entries authored by that instance's actors (user_id IS NULL + attribution pointing at that host).
  • Audit-log the defederation action and what it touched.
  • Consider a one-click "defederate" affordance in the existing Admin → Federation UI alongside the per-instance enable/disable.

Out of scope

Re-federation/recovery flows; per-actor (vs per-instance) blocking — instance-level is enough for the kill-switch.


Filed as a planned fast-follow during v7 planning (host-inbound-first scope decision).

Safety counterpart to the v7 cross-instance write path (#9 / #10 / #12). Once an instance can be invited to *write* into a host project, an admin needs a fast, **admin-only** way to sever trust with an instance that turns out to be malicious or compromised — and clean up its footprint. **Not part of the host-inbound first pass** (we're shipping #9/#10/#11/#12 first, validated with a signing test harness). Tracked here so it isn't lost; build it as a fast-follow once the write path lands. ### Scope (admin-only, `requireAdmin`) Builds on #12 (`remote_actor_url`, `remote_contributions`) and #10 (inbox authorization). - [ ] **Hard block, not just disable.** Today `federated_instances.enabled=false` gates *discovery*. Add a distinct **blocked** state that rejects all inbound activities from that instance's host at the inbox, before signature/processing. - [ ] **Revoke remote editors.** Remove all `project_collaborators` rows whose `remote_actor_url` is hosted on the blocked instance. - [ ] **Quarantine its contributions.** Set pending/conflict `remote_contributions` from that instance's actors to `rejected`; surface already-applied ones for owner review before any purge. - [ ] **Purge / anonymize option.** Allow the admin to purge or anonymize entries authored by that instance's actors (`user_id IS NULL` + attribution pointing at that host). - [ ] **Audit-log** the defederation action and what it touched. - [ ] Consider a one-click "defederate" affordance in the existing Admin → Federation UI alongside the per-instance enable/disable. ### Out of scope Re-federation/recovery flows; per-actor (vs per-instance) blocking — instance-level is enough for the kill-switch. --- _Filed as a planned fast-follow during v7 planning (host-inbound-first scope decision)._
rbrooks referenced this issue from a commit 2026-06-30 15:08:13 +00:00
Sign in to join this conversation.
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rbrooks/TeaLeaves#61
No description provided.