On-demand snapshot security

Gate 2B checklist for POST /v1/fuseguard/snapshots — signed off for FuseGuard production GA.

Canonical source: docs/security/on-demand-snapshot.md in the OSS repo.

Requirements

  • Snapshot API requires valid tripId from FuseGuard ingest (FG-C06) — shipped
  • No free-form URL field in public API (FG-C06) — shipped
  • RFC1918, link-local, metadata IPs blocked (FG-C04) — shipped
  • Max response body 1MB; timeout 10s; redirect hops re-validated (max 5, no internal follow) — shipped (snapshot-policy.ts)
  • Rate limit 10/account/day; burst 3/hour (FG-C05) — shipped
  • Trip ingest rate limit 120/IP/hour (SEC-M01) — shipped
  • On-demand host bound to persisted watch URL only (watch registry entry) — shipped
  • Fail-open: fuse infra fetch failure returns 502, trip remains valid — shipped
  • Fail-closed: budget exceeded, blocked URL, unknown trip → 403/429/404 — shipped

Sign-off

RoleNameDate
EngDriftGuard cloud2026-06-09
Security reviewerChecklist automated + FG-C matrix2026-06-09

Related

  • API: on-demand snapshot
  • FuseGuard how-to