Skip to content

fix(security): change pairing lockout to per-client accounting#679

Closed
agorevski wants to merge 1 commit intozeroclaw-labs:mainfrom
agorevski:fix/603-per-client-pairing-lockout
Closed

fix(security): change pairing lockout to per-client accounting#679
agorevski wants to merge 1 commit intozeroclaw-labs:mainfrom
agorevski:fix/603-per-client-pairing-lockout

Conversation

@agorevski
Copy link
Copy Markdown
Collaborator

@agorevski agorevski commented Feb 17, 2026

Replace global failed-attempt counter with per-client tracking keyed by client identity. This prevents one attacker from locking out all legitimate clients via brute-force pairing attempts.

  • Replace global (u32, Option) with HashMap<String, (u32, Option)>
  • Add MAX_LOCKOUT_CLIENTS (1000) cardinality bound with expiry-based eviction
  • Update try_pair signature to accept client_id parameter
  • Update all call sites (gateway, telegram channel)
  • Add lockout_is_per_client_not_global regression test

Resolves #603

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 17, 2026
edited
Loading

PR intake checks found warnings (non-blocking)

Fast safe checks found advisory issues. CI lint/test/build gates still enforce merge quality.

  • Missing required PR template sections: ## Summary, ## Validation Evidence (required), ## Security Impact (required), ## Privacy and Data Hygiene (required), ## Rollback Plan (required)
  • Incomplete required PR template fields: summary problem, summary why it matters, summary what changed, validation commands, security risk/mitigation, privacy status, rollback plan

Action items:

  1. Complete required PR template sections/fields.
  2. Remove tabs, trailing whitespace, and merge conflict markers from added lines.
  3. Re-run local checks before pushing:
    • ./scripts/ci/rust_quality_gate.sh
    • ./scripts/ci/rust_strict_delta_gate.sh
    • ./scripts/ci/docs_quality_gate.sh

Run logs: https://github.com/zeroclaw-labs/zeroclaw/actions/runs/22187985872

Detected blocking line issues (sample):

  • none

Detected advisory line issues (sample):

  • none

@github-actions github-actions Bot added channel Auto scope: src/channels/** changed. gateway Auto scope: src/gateway/** changed. security Auto scope: src/security/** changed. size: S Auto size: 81-250 non-doc changed lines. risk: high Auto risk: security/runtime/gateway/tools/workflows. experienced contributor Contributor with 10+ merged PRs. gateway: core Auto module: gateway core files changed. channel: telegram Auto module: channel/telegram changed. security: pairing Auto module: security/pairing changed. and removed channel Auto scope: src/channels/** changed. gateway Auto scope: src/gateway/** changed. security Auto scope: src/security/** changed. labels Feb 17, 2026
@agorevski
fix(security): change pairing lockout to per-client accounting
718d63b 
Replace global failed-attempt counter with per-client tracking keyed
by client identity. This prevents one attacker from locking out all
legitimate clients via brute-force pairing attempts.

- Replace global (u32, Option<Instant>) with HashMap<String, (u32, Option<Instant>)>
- Add MAX_LOCKOUT_CLIENTS (1000) cardinality bound with expiry-based eviction
- Update try_pair signature to accept client_id parameter
- Update all call sites (gateway, telegram channel)
- Add lockout_is_per_client_not_global regression test

Resolves zeroclaw-labs#603

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@agorevski agorevski force-pushed the fix/603-per-client-pairing-lockout branch from b7107f0 to 718d63b Compare February 19, 2026 15:24
@github-actions github-actions Bot added channel Auto scope: src/channels/** changed. gateway Auto scope: src/gateway/** changed. security Auto scope: src/security/** changed. principal contributor Contributor with 20+ merged PRs. and removed channel Auto scope: src/channels/** changed. gateway Auto scope: src/gateway/** changed. security Auto scope: src/security/** changed. experienced contributor Contributor with 10+ merged PRs. labels Feb 19, 2026
@agorevski agorevski closed this Feb 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@willsarg willsarg Awaiting requested review from willsarg

@theonlyhennygod theonlyhennygod Awaiting requested review from theonlyhennygod

Assignees

No one assigned

Labels

channel: telegram Auto module: channel/telegram changed. gateway: core Auto module: gateway core files changed. principal contributor Contributor with 20+ merged PRs. risk: high Auto risk: security/runtime/gateway/tools/workflows. security: pairing Auto module: security/pairing changed. size: S Auto size: 81-250 non-doc changed lines.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(security): change pairing lockout to per-client accounting

2 participants

@agorevski @willsarg