feat: admin defederation kill-switch (#61) #68

Merged
claude-bot merged 2 commits from feat/v7-defederation into main 2026-06-30 02:25:10 +00:00
Contributor

Closes #61. The safety counterpart to the v7 write path — an admin-only way to sever a malicious or compromised instance.

What it does

  • Migration 042federated_instances.blocked. The inbox hard-rejects all inbound activity from a blocked instance (403) before signature verification (distinct from enabled, which only gates outbound discovery). Block is keyed on the signer's instance origin parsed from the signature keyId.
  • POST /api/federation/instances/:id/defederate (admin) — blocks + disables the instance, then in one sweep:
    • revokes its remote editors (project_collaborators whose remote_actor_url is on that host),
    • rejects its pending/conflict remote_contributions,
    • with { purge_entries: true }, soft-deletes the entries its actors authored (found via the create contributions),
    • audits the action with the counts.
  • Federation admin UI — a red Defederate action (confirm → optional purge confirm → result summary) and a Blocked badge.

Verification (dev server)

defederation.test.ts4 tests: defederate blocks/disables + revokes editors (1) + quarantines the conflict (1, leaving the applied create); entries kept by default; purge_entries soft-deletes them; and a blocked instance's signed inbox POST → 403 before signature checks.

Migration 042 applies cleanly; full API suite 207 passed (was 203); app build green.

🤖 Generated with Claude Code

Closes #61. The safety counterpart to the v7 write path — an admin-only way to sever a malicious or compromised instance. ## What it does - **Migration `042`** — `federated_instances.blocked`. The inbox **hard-rejects** all inbound activity from a blocked instance (`403`) *before* signature verification (distinct from `enabled`, which only gates outbound discovery). Block is keyed on the signer's instance origin parsed from the signature `keyId`. - **`POST /api/federation/instances/:id/defederate`** (admin) — blocks + disables the instance, then in one sweep: - revokes its remote editors (`project_collaborators` whose `remote_actor_url` is on that host), - rejects its pending/conflict `remote_contributions`, - with `{ purge_entries: true }`, soft-deletes the entries its actors authored (found via the `create` contributions), - audits the action with the counts. - **Federation admin UI** — a red **Defederate** action (confirm → optional purge confirm → result summary) and a **Blocked** badge. ## Verification (dev server) `defederation.test.ts` — **4 tests**: defederate blocks/disables + revokes editors (1) + quarantines the conflict (1, leaving the applied create); entries kept by default; `purge_entries` soft-deletes them; and a blocked instance's signed inbox POST → `403` before signature checks. Migration `042` applies cleanly; full API suite **207 passed** (was 203); app build green. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
feat(p61): admin defederation kill-switch (#61)
Some checks failed
CI / API — typecheck & tests (push) Failing after 1m15s
CI / App — typecheck, test & build (push) Successful in 1m21s
CI / API — typecheck & tests (pull_request) Failing after 1m27s
CI / App — typecheck, test & build (pull_request) Successful in 1m42s
7c02490130
Sever a malicious/compromised federated instance, admin only.

- Migration 042: federated_instances.blocked. The inbox hard-rejects all
  inbound activity from a blocked instance (403) before signature work —
  distinct from `enabled`, which only gates discovery.
- POST /api/federation/instances/:id/defederate: blocks + disables the
  instance, revokes its remote editors (project_collaborators), rejects its
  pending/conflict remote_contributions, and (with purge_entries) soft-deletes
  the entries its actors authored. Audited.
- Federation admin UI: Defederate action (with optional purge), Blocked badge.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
claude-bot scheduled this pull request to auto merge when all checks succeed 2026-06-30 02:16:48 +00:00
fix(p61): coerce req.params.id to string for logAudit (tsc)
All checks were successful
CI / App — typecheck, test & build (push) Successful in 1m56s
CI / App — typecheck, test & build (pull_request) Successful in 1m50s
CI / API — typecheck & tests (pull_request) Successful in 3m3s
CI / API — typecheck & tests (push) Successful in 3m5s
4197bbee04
claude-bot deleted branch feat/v7-defederation 2026-06-30 02:25:10 +00:00
Sign in to join this conversation.
No reviewers
No milestone
No project
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rbrooks/TeaLeaves!68
No description provided.