Blackbox report finding 2.5: add_member and remove_member in opake-core don't verify that the caller (session DID) matches the authority in the keyring's AT-URI. The PDS enforces repo-level write access so this isn't exploitable in practice, but the library should guard against logic errors where e.g. a member's client accidentally tries to modify someone else's keyring. Fix: in add_member() and remove_member(), compare client.session().did against the AT-URI authority and return an error if they don't match. Defense-in-depth, not a live vulnerability.
Blackbox report finding 2.5: add_member and remove_member in opake-core don't verify that the caller (session DID) matches the authority in the keyring's AT-URI. The PDS enforces repo-level write access so this isn't exploitable in practice, but the library should guard against logic errors where e.g. a member's client accidentally tries to modify someone else's keyring. Fix: in add_member() and remove_member(), compare client.session().did against the AT-URI authority and return an error if they don't match. Defense-in-depth, not a live vulnerability.