Skip to content

feat(web-security): operator-gated auth flow memory#70

Open
GangGreenTemperTatum wants to merge 2 commits into
mainfrom
ads/cap-1131-improve-web-security-and-authentication-context-workflows
Open

feat(web-security): operator-gated auth flow memory#70
GangGreenTemperTatum wants to merge 2 commits into
mainfrom
ads/cap-1131-improve-web-security-and-authentication-context-workflows

Conversation

@GangGreenTemperTatum

Copy link
Copy Markdown
Contributor

Problem

The web-security agent has no structured way to persist or reuse authentication context across sessions. Credentials are ephemeral (chat-only), the prompt says "don't persist secrets", and there's no mechanism to carry forward how to authenticate — even when the operator provides the same target repeatedly.

This means every new session re-discovers the auth flow from scratch, wasting time on targets with complex multi-step login choreography (CSRF token → login → JWT → refresh → MFA).

Solution

Add an Authentication Context section to the agent prompt that distinguishes two credential sources with different persistence rules:

Operator-sourced auth (persist the flow)

When the operator provides credentials — in chat, by pointing to a file, or by referencing a stored credential — the agent:

  1. Uses store_credential for the session (as before)
  2. Maps the full auth flow (endpoints, methods, token types, refresh mechanics, prerequisites)
  3. Persists the flow recipe to project memory with subtype: auth-flow
  4. Never persists raw credentials, tokens, or secrets to project memory

Agent-discovered auth (don't persist)

When the agent discovers credentials autonomously (default creds, self-registration, JS extraction):

  1. Uses store_credential for the session (as before)
  2. Does not persist the auth flow to project memory
  3. Tracks security-relevant discoveries as findings/leads instead

Resuming from memory

Future sessions load auth-flow memories and replay them with fresh operator-provided credentials, skipping re-discovery entirely. If no credentials are provided, the agent proceeds unauthenticated without prompting.

Security rationale

The operator's explicit act of providing credentials is the authorization signal — no confirmation prompts needed, no autonomous persistence of potentially sensitive auth patterns. Agent-discovered auth (which may involve default creds, brute force, or token extraction) is intentionally kept ephemeral since the operator never sanctioned it as the intended auth path.

Changes

  • agents/web-security.md: New Authentication Context section, updated tracking to include auth-flow subtype with payload_json.role and payload_json.auth_type, updated store_credential guidance to connect to flow persistence

Add an Authentication Context section to the agent prompt that
distinguishes operator-sourced vs agent-discovered credentials:

- Operator-sourced: when the operator provides credentials (in chat,
  from a file, or via stored credential), the agent persists the auth
  *flow* (endpoints, token mechanics, multi-step choreography) to
  project memory with subtype: auth-flow. Raw credentials are never
  persisted — they stay session-scoped in store_credential only.

- Agent-discovered: when the agent finds credentials autonomously
  (default creds, self-registration, JS extraction), they are used
  for the current session but the flow is NOT persisted. Security-
  relevant discoveries are tracked as findings/leads instead.

- Resuming: future sessions load auth-flow memories and replay them
  with fresh operator-provided credentials, skipping re-discovery.
  If no credentials are provided, the agent proceeds unauthenticated
  without prompting.

Also updates the tracking section to include auth-flow as a memory
subtype with payload_json.role and payload_json.auth_type fields.
@GangGreenTemperTatum GangGreenTemperTatum force-pushed the ads/cap-1131-improve-web-security-and-authentication-context-workflows branch from c623c20 to 0cb55b3 Compare July 6, 2026 14:17
Drop health-check ceremony, fallback chains, and prescriptive routing.
Proxies are now framed as evidence capture for confirmed findings:
replay PoC through available proxy after assess_confidence passes.
Thermoptic reduced to one-liner.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant