Found during review of #96. rust/crates/truapi-server/src/host_logic/permissions.rs:126 builds the storage key by joining slugs with | and domains with ,. Domain strings come from product input; nothing forbids |, ,, or the literal truapi:permissions: prefix inside a domain. Two different permission bundles could collide on the same key and one bundle's grant could authorize another. Fix: SCALE-encode the canonicalized bundle then hex/base64 it for the key, or reject domains containing reserved separator chars.
Found during review of #96.
rust/crates/truapi-server/src/host_logic/permissions.rs:126builds the storage key by joining slugs with|and domains with,. Domain strings come from product input; nothing forbids|,,, or the literaltruapi:permissions:prefix inside a domain. Two different permission bundles could collide on the same key and one bundle's grant could authorize another. Fix: SCALE-encode the canonicalized bundle then hex/base64 it for the key, or reject domains containing reserved separator chars.