Home Dashboard GitHub

Advisory-mode mTLS wiring on agent-mesh write routes

2026-05-07

securitycafmtlsagent-mesh

What We Built

requireMtlsForRoute (added in PR #197) was exported but never imported by mesh-write routes. Wired it on delegate, sub-agents DELETE, trajectories write, task-runs write — in advisory mode by default. Logs structured warning if request is not mTLS-authenticated, but allows it through. Added config flag gateway.tls.mtls.meshWritesEnforcement to flip to strict.

Why It Matters

PR #197 deliberately set clientCertRequired=false for backward compatibility. Strict-mode wiring would 403 every existing JWT-only caller. Advisory mode preserves backward compat while surfacing the gap in logs.

How It Works

Modified requireMtlsForRoute(mode = 'advisory'). In advisory mode, log warning + allow. In strict mode, 403 if not mTLS. Three regression tests: advisory + JWT → 200 with warning, strict + JWT → 403, mTLS → 200 silent.

Lockstep Checklist

  • [x] No API route changes (middleware/internal — lockstep N/A)
  • [x] No SDK changes
  • [x] No MCP tool changes
  • [x] Regression test included (test-first invariant per /quality-fleet protocol)
  • [x] Linked to /quality-fleet R1 dashboard at .quality/dashboard.md

Provenance

Auto-found by /quality-fleet R1 (2026-05-07) scanner round, fixed in fix-agent batch under "go for all of it" autonomy grant. PR #206 merged to main as commit ab05c733c. Finding(s) tracked at .quality/findings.jsonl (entries: "3d8e1f5b9c24"). Production-deployed via ECS task-def revision 732 series.