v0.47.0: tenant isolation across the evidence path

[vaaraio]

v0.47.0: tenant isolation across the evidence path

Closes the tenant-isolation findings from the v0.46.0 audit. Two of the three
were verified by reproduction against live code before fixing; the third (the
registry "lag") was a stale read and is not a code issue.

What was real, and how it is closed

Cross-tenant audit-chain read (was HIGH). GET /v1/audit/actions/{id}/chain
read the in-memory action map with no tenant check, so any caller who knew an
action_id could read another tenant's full chain. Reproduced: a tenant-B
caller read tenant-A's tool parameters. Now served through a tenant-scoped read
gated on X-Vaara-Tenant; unknown and cross-tenant actions both return 404 with
an identical body, so the response is not an existence oracle.

SSE broadcast leak (was MEDIUM). Upstream-pushed notifications on a shared
upstream fanned out to every tenant. Now scoped to the originating tenant;
unattributable log notifications broadcast only within a single scope.

Tenant identity outside the hash chain (was MEDIUM). Reproduced: mutating a
record's tenant_id from A to B left verify_chain() green. Now AuditRecord
carries a chain_version; v2 records fold tenant_id (and the version itself,
to block a downgrade) into the hash, so re-attribution breaks the chain. After
the fix the same mutation is detected.

Backward compatibility

Pre-v0.47 records carry chain_version 1 and hash exactly as before, so existing
trails and signed exports re-verify byte for byte. A fixed-digest test guards the
v1 hash against drift. SQLite gains a chain_version column (schema v4) with a
migration defaulting legacy rows to 1; a migration test proves a legacy record
with a populated tenant_id column still verifies under v1 rules. The standalone
verifier mirrors the v1/v2 rule.

Verification

1087 passed / 12 skipped, ruff clean. New tests cover v1/v2 hash behavior, the
fixed v1 digest, live re-attribution detection, SQLite round-trip, signed-export
round-trip through the standalone verifier, and the v3 to v4 migration.

Summary by CodeRabbit

• Security Enhancements

  • Audit records now bind tenant identity in the tamper-evident hash chain
  • Audit chain read endpoint enforces tenant-scoped access control
  • Server-sent event notifications are now restricted to tenant boundaries

• Chores

  • Version updated to 0.47.0
  • Audit database schema upgraded to v4

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR hardens multi-tenant security by versioning the audit hash-chain, binding tenant identity into tamper-evident hashes for new records, scoping HTTP audit-chain reads by tenant, filtering SSE broadcasts per tenant, and migrating the SQLite schema from v3 to v4.

Changes

Multi-Tenant Audit Hardening

Layer / File(s)	Summary
Release version and changelog CHANGELOG.md, clients/ts/package.json, pyproject.toml, server-vaara-server.json, server.json, src/vaara/__init__.py	All distribution manifests and modules updated to version 0.47.0, and changelog documents the tenant-binding and tenant-scoping changes.
Audit record versioning foundation src/vaara/audit/trail.py	Introduced _CURRENT_CHAIN_VERSION = 2 and AuditRecord.chain_version: int field (default 1). AuditRecord.compute_hash() now conditionally includes tenant_id and chain_version in the hashed content when chain_version >= 2. AuditTrail._append() stamps newly written records with the current chain version.
SQLite schema upgrade and persistence src/vaara/audit/sqlite_backend.py	Schema bumped from v3 to v4 with new chain_version column. Migration v3→v4 adds the column with default value 1. write_record persists chain_version and selects tenant identity based on record version (per-record tenant for v2+, fallback for legacy). _row_to_record defensively decodes chain_version (defaulting to 1 for backward compatibility).
Hash-chain verification for versioned records src/vaara/audit/verify.py	Export chain verification updated to handle v2 records: when chain_version >= 2, tenant_id and chain_version are included in the canonical hash recomputation.
Tenant-scoped audit chain read src/vaara/audit/trail.py, src/vaara/server/routes.py	New AuditTrail.get_action_chain_scoped(action_id, tenant_id="") filters records by tenant and returns (position, record) pairs, hiding cross-tenant actions. HTTP /v1/audit/actions/{action_id}/chain handler now accepts optional X-Vaara-Tenant header and uses get_action_chain_scoped to return tenant-filtered events (or 404 if unknown/cross-tenant).
Notification router tenant-scoped delivery src/vaara/integrations/_mcp_notify.py, src/vaara/integrations/mcp_proxy.py	NotificationRouter, StdioRouter, and HttpRouter.deliver() now accept optional tenant parameter. HttpRouter filters attributed broadcasts to sessions matching the tenant and suppresses unattributed broadcasts when candidates span multiple tenant scopes. VaaraMCPProxy._on_upstream_notification captures and forwards tenant from progress-token context to enable tenant-scoped routing.
Tests: Audit hash-chain tenant binding tests/test_v040_tenant.py	Comprehensive test suite covering: v1 hash excludes tenant (legacy compatibility), v2 hash binds and differs by tenant, v1 byte-stability against fixed SHA-256, trail stamping detects tenant reattribution, v2 records survive SQLite roundtrip, and signed exports with v2 chains verify correctly.
Tests: Tenant-scoped reads, notifications, and migrations tests/test_integrations_mcp_proxy.py, tests/test_mcp_notify.py, tests/test_server.py, tests/test_sqlite_backend.py	Integration tests for: HTTP audit-chain endpoint tenant-scoping (cross-tenant callers receive 404), HttpRouter attributed/unattributed broadcast suppression and fan-out, schema v3→v4 migration with preserved hashes, and proxy test compatibility with updated router signatures.

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• vaaraio/vaara#75: Added the /v1/audit/actions/{action_id}/chain HTTP endpoint that this PR now makes tenant-scoped.
• vaaraio/vaara#177: Prior tenant-scoping work in AuditTrail that this PR extends with chain-version binding and tenant-scoped chain reads.
• vaaraio/vaara#165: Introduced SSE/session routing and fan-out logic that this PR extends with tenant-scoped delivery and broadcast suppression.

Poem

🐰 Chain links now bind the tenant tight,
Each version guards the audit's right,
Cross-tenant peeks return just four-oh-four,
Broadcasts scoped to tenantsores,
Security whispers through the core! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 42.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'v0.47.0: tenant isolation across the evidence path' directly and concisely summarizes the main security improvements in this release, matching the core changes described in the raw summary and PR objectives.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/tenant-read-sse-isolation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

tests/test_sqlite_backend.py (1)

296-300: 💤 Low value

Optional: use a with block for the backend.

CodeQL flags the manual try/finally close. Since SQLiteAuditBackend is a context manager and the rest of this file already uses with, this aligns for consistency. The in-memory reloaded trail remains usable after the block.

♻️ Proposed refactor

-        backend = SQLiteAuditBackend(db_path)  # migrates 3 -> 4
-        try:
-            reloaded = backend.load_trail(strict=True)  # raises if chain broke
-        finally:
-            backend.close()
+        with SQLiteAuditBackend(db_path) as backend:  # migrates 3 -> 4
+            reloaded = backend.load_trail(strict=True)  # raises if chain broke
         self._assert_current(db_path)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/test_sqlite_backend.py` around lines 296 - 300, Replace the manual
try/finally close with a context manager: use a with block when instantiating
SQLiteAuditBackend so that backend.close() is called automatically; call
backend.load_trail(strict=True) inside the with and assign the returned reloaded
trail to a variable (it remains usable after the with). Update the code around
SQLiteAuditBackend and load_trail to follow the pattern used elsewhere in the
file.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@tests/test_sqlite_backend.py`:
- Around line 296-300: Replace the manual try/finally close with a context
manager: use a with block when instantiating SQLiteAuditBackend so that
backend.close() is called automatically; call backend.load_trail(strict=True)
inside the with and assign the returned reloaded trail to a variable (it remains
usable after the with). Update the code around SQLiteAuditBackend and load_trail
to follow the pattern used elsewhere in the file.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 7a8649c1-2fc9-4b77-8151-d02d5fa6c0be

📥 Commits

Reviewing files that changed from the base of the PR and between e2dfb10 and d09e3ca.

📒 Files selected for processing (17)

• CHANGELOG.md
• clients/ts/package.json
• pyproject.toml
• server-vaara-server.json
• server.json
• src/vaara/__init__.py
• src/vaara/audit/sqlite_backend.py
• src/vaara/audit/trail.py
• src/vaara/audit/verify.py
• src/vaara/integrations/_mcp_notify.py
• src/vaara/integrations/mcp_proxy.py
• src/vaara/server/routes.py
• tests/test_integrations_mcp_proxy.py
• tests/test_mcp_notify.py
• tests/test_server.py
• tests/test_sqlite_backend.py
• tests/test_v040_tenant.py