Permission enforcement on startup: enforce_permissions() checks store dir
(700), user files (600), signing key, TLS key, audit.log, revoked.json.
CLI and run_server() call it before any sensitive operation.
New modules:
security.py check_store(), enforce_permissions(), print_security_check()
audit.py log_event() — append-only TSV audit log (mode 600)
revoke.py revoke(jti), is_revoked(jti) — revocation list (mode 600)
New CLI commands:
security-check Print per-check pass/warn/fail report; exit 1 on failure
revoke-token <jti|jwt> Add JTI to revocation list; accepts raw JTI or full JWT
Serve integration:
Audit log written for auth request, token issuance, and userinfo calls
Revocation checked at /userinfo; revoked tokens return 401
Docs: security model section in LocalIdentity.md — threat model,
assumptions, non-guarantees, SELinux/AppArmor guidance, revocation usage.
138 tests passing (34 new for Stage 4).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
