feat: harden OAuth state secret validation, DCR file permissions, and policy defaults

- Enforce 32-char minimum on OAUTH_STATE_SECRET at startup (config.py) - Write DCR client registry with owner-only (0o600) permissions before atomic replace - Flip policy.yaml default write action from allow → deny - Add CLAUDE.md with architecture, commands, and AGENTS.md contract summary - Add .pre-commit-config.yaml mirroring `make lint` checks - Update .gitignore: add .venv, .claude, .mypy_cache, .ruff_cache, .coverage.* - Extend docs: audit log rotation guidance, OAUTH_STATE_SECRET and DCR_STORAGE_PATH notes - Tests: short-secret rejection, 32-char acceptance, POSIX permission check for DCR store Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-14 14:13:22 +02:00
parent b275f5c0c2
commit b8217dce8a
11 changed files with 269 additions and 4 deletions
@@ -31,3 +31,23 @@ Exit code `0` indicates valid chain, non-zero indicates tamper/corruption.
 - Persist audit logs to durable storage.
 - Protect write permissions (service account only).
 - Validate integrity during incident response and release checks.
+
+## Rotation
+
+The server appends to a single audit file and does not rotate it in process — rotating
+mid-stream would break the `prev_hash`/`entry_hash` chain. Manage growth externally with
+`logrotate` using `copytruncate` so the open file handle keeps appending:
+
+```
+/var/log/aegis-mcp/audit.log {
+    weekly
+    rotate 12
+    compress
+    missingok
+    notifempty
+    copytruncate
+}
+```
+
+Run `scripts/validate_audit_log.py` against each rotated segment to confirm the chain
+remains intact across rotations before archiving.