You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Phase 3 of diagram sharing (design: docs/design/diagram-sharing.md).
Problem
Change events still broadcast to all authenticated subscribers. A grantee can read a shared resource via CRUD, but any authenticated user still receives its live-update events — the pre-existing all-subscribers-see-all-events behavior. Under the "mutually untrusting tenants" threat model this is a confidentiality leak.
Scope
Route change events to recipient-scoped topics (e.g. $DB/u/{recipient}/events/...) derived from the resource owner + its _shares recipients.
Enforce with %u topic-ACL substitution (already supported in mqtt-lib) so a subscriber only receives events for resources it can see.
mqtt-lib broker fan-out is off-limits; confidentiality must come from topic scoping + ACL, not from filtering at fan-out.
Phase 3 of diagram sharing (design:
docs/design/diagram-sharing.md).Problem
Change events still broadcast to all authenticated subscribers. A grantee can read a shared resource via CRUD, but any authenticated user still receives its live-update events — the pre-existing all-subscribers-see-all-events behavior. Under the "mutually untrusting tenants" threat model this is a confidentiality leak.
Scope
$DB/u/{recipient}/events/...) derived from the resource owner + its_sharesrecipients.%utopic-ACL substitution (already supported in mqtt-lib) so a subscriber only receives events for resources it can see.References
docs/design/diagram-sharing.md(event confidentiality)specs/DiagramSharing.tla(InvEventConfidentialityholds for the design);specs/DiagramSharingCurrent.tla(current behavior violates it)