backlog(B-0744): FIDO2/WebAuthn/Passkeys/OIDC as the bridge between desktop-local biometric consent (B-0743) and server-side authorization tokens (IAM/SPIFFE/RBAC)#5013
Closed
AceHack wants to merge 1 commit into
Conversation
…esktop-local biometric consent (B-0743) and server-side authorization tokens (IAM/SPIFFE/RBAC)
Aaron 2026-05-25 (re-emphasized 2026-05-25 with explicit research dump):
'I love this client vs server framing and being explict like this the ux
is different and also we can use stuff like... There is no single
"universal fingerprint" standard for OAuth. Instead, OAuth uses standard
protocols like OpenID Connect (OIDC) to delegate authentication to
underlying biometric frameworks, primarily FIDO2 / WebAuthn.'
The bridge composition:
- WebAuthn (W3C+FIDO) translates LOCAL biometric to signed assertion
- FIDO2/Passkeys (FIDO Alliance) hardware-bound private key format
- OIDC (OpenID Foundation) carries WHO across services via ID+access
tokens
- OAuth 2.0 (IETF) bearer-token authorization protocol
- Downstream server-side IAM/SPIFFE/RBAC enforces what WHO can do
The clean layered WHO composition: biometric proves WHO physically →
WebAuthn signs WHO cryptographically → OIDC carries WHO across services
→ IAM/SPIFFE/RBAC enforces what-WHO-can-do at the receiver.
5 scope items: choose OIDC issuer (recommend Vault's; zero new
substrate) / WebAuthn server-side / WebAuthn client-side (browser
direct; CLI uses OIDC device-code flow) / OIDC federation (composes
with B-0741 cross-cluster) / agent-driven OIDC flow ('I execute, you
fingerprint' at remote-auth scope).
Adopts existing industry standards (FIDO Alliance + W3C + OpenID
Foundation) — substrate-honest substrate-engineering analysis prefers
adoption over invention; ecosystem-interop bandwidth served; standards
are bedrock + audited.
Composes with B-0743 (desktop biometric anchor) + B-0741 (cross-cluster
federation; OIDC federation IS the trust substrate) + B-0742 (reference
stack hosts the OIDC issuer; likely Vault's) + B-0747 (machine-state
declared-state CAN include OIDC issuer config) + B-0737 (zflash IS the
local-biometric empirical anchor; bridge translates to remote auth).
P2 priority — cross-cutting auth bridge; high reuse-leverage; not P1
because B-0743 desktop-local already covers cluster-internal destructive
ops; becomes more urgent when (a) cross-cluster federation ships per
B-0741 (b) operator-facing web surfaces need auth (Knights Guild
ratification UI, ACE PM dashboards, etc.).
Co-Authored-By: Claude <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
There was a problem hiding this comment.
Pull request overview
Adds a new P2 backlog row (B-0744) describing adopting FIDO2/WebAuthn/Passkeys + OIDC as the standards-based bridge between local biometric consent and remote authorization, and registers the row in the generated backlog index.
Changes:
- Introduces
B-0744backlog row with layer breakdown, rationale, composition links, and 5 scoped deliverables. - Updates
docs/BACKLOG.mdto include the newB-0744entry under P2.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| docs/backlog/P2/B-0744-webauthn-fido2-passkeys-oidc-as-the-bridge-between-desktop-local-biometric-consent-and-server-side-authorization-tokens-aaron-2026-05-25.md | New backlog row defining the WebAuthn→OIDC “bridge” concept and decomposed scope items. |
| docs/BACKLOG.md | Adds the B-0744 index entry under P2. |
| - B-0634 | ||
| - B-0628 | ||
| related_substrate: | ||
| - .claude/rules/desktop-admin-consent-via-biometric-plus-small-challenge-i-execute-you-fingerprint.md |
| - [ ] **[B-0736](backlog/P2/B-0736-time-travel-debugging-of-thoughts-dbsp-plus-zeta-plus-b0735-personalized-parser-equals-thought-catcher-product-handoff-thoughtweaver-leading-mika-substrate-segment-6-2026-05-25.md)** Time-travel debugging of thoughts (DBSP retractable streams + Zeta history + B-0735 personalized parser = catch-a-thought + retract-and-re-evaluate-forward) + product handoff to LFG product team (Thoughtcatcher / Thoughtweaver currently-leading; market + IP research pending) — Mika substrate segment 6 | ||
| - [ ] **[B-0737](backlog/P2/B-0737-zflash-touch-id-pam-plus-short-challenge-format-plus-iso-auto-discovery-i-execute-you-fingerprint-aaron-2026-05-25.md)** zflash — "I execute, you fingerprint" — Touch ID PAM as the irreversible-action consent gate + short `yes <4-hex>` challenge + ISO auto-discovery (~14 keystrokes total for human; agent-driven path uses same Touch ID floor) | ||
| - [ ] **[B-0742](backlog/P2/B-0742-reference-k8s-local-stack-as-aces-distributable-poc-hats-as-negotiated-fork-structure-on-top-deterministic-declarative-gitops-ai-native-human-native-aaron-2026-05-25.md)** Reference k8s local stack in Zeta as Ace's distributable PoC — hats become the negotiated fork structure ON TOP of the reference stack — anyone can use it, anyone can negotiate back hats + new cluster primitives + new charts via the B-0741 ontology negotiation protocol — Ace's PoC of reliable AI control over all package managers in a deterministic + declarative / desired-state / GitOps-friendly + AI-native + human-native way | ||
| - [ ] **[B-0744](backlog/P2/B-0744-webauthn-fido2-passkeys-oidc-as-the-bridge-between-desktop-local-biometric-consent-and-server-side-authorization-tokens-aaron-2026-05-25.md)** FIDO2 / WebAuthn / Passkeys / OIDC — the industry-standard BRIDGE between desktop-local biometric consent (B-0737 / B-0743) and server-side authorization tokens (IAM / SPIFFE / OIDC) — adopt as Zeta's cross-cutting auth substrate so local Touch ID / Windows Hello / fprintd biometric can authorize agent operations against remote services (other clusters / forks / Ace registries / Knights Guild ratification surfaces) without password sharing or pre-shared secrets |
Comment on lines
+11
to
+17
| composes_with: | ||
| - B-0743 | ||
| - B-0737 | ||
| - B-0738 | ||
| - B-0739 | ||
| - B-0741 | ||
| - B-0742 |
Member
Author
|
Closing as substrate-stale (DIRTY-conflict) per .claude/rules/pr-triage-tiers.md Tier 3 + the discriminator pass below. Discriminator pass:
Disposition: close. The branch content is preserved in git history; re-land path is cherry-pick onto a fresh branch off current main with any ID-collision renumbering needed. This is the same Tier 3 disposition applied to today's #5038 + #5032 (same root cause: 2026-05-25 evening session left ~9 backlog/rule PRs DIRTY when the next morning's iter-5.x + iter-6 work landed and moved main forward). This close is NOT a punt — it's explicit ownership classification per .claude/rules/fighting-past-self-vs-peer-agent-distinguisher-fix-your-own-coordinate-on-peers-dont-punt-by-default.md (recurrence anchor landed today via #5126). The substrate-honest re-land path is documented; the operator-tax of indeterminate DIRTY state is cleared. |
auto-merge was automatically disabled
May 26, 2026 08:07
Pull request was closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Aaron 2026-05-25: industry-standards-grounded BRIDGE between B-0743 desktop-local biometric consent and server-side AI consent patterns (IAM/SPIFFE/RBAC).
The bridge: WebAuthn translates LOCAL biometric → FIDO2/Passkeys hardware-bound key → OIDC carries WHO across services → server-side IAM enforces what-WHO-can-do.
5 scope items: OIDC issuer choice (recommend Vault's per reference stack) / WebAuthn server-side / WebAuthn client-side (browser direct; CLI via OIDC device-code) / OIDC federation (composes B-0741) / agent-driven OIDC flow ("I execute, you fingerprint" at remote-auth scope).
Adopts industry standards (FIDO Alliance + W3C + OpenID Foundation); doesn't invent protocol. Per
honor-those-that-came-before+bandwidth-served-falsifier.Composes with B-0743 (foundation) + B-0741 (cross-cluster federation) + B-0742 (OIDC issuer hosted on reference stack) + B-0747 (machine-state can include OIDC config) + B-0737 (zflash empirical anchor).
🤖 Generated with Claude Code