Skip to content

Revert fail-closed auth: #682 (API key) + #691 (admin token)#694

Merged
AbirAbbas merged 2 commits into
mainfrom
revert-fail-closed-auth
Jun 27, 2026
Merged

Revert fail-closed auth: #682 (API key) + #691 (admin token)#694
AbirAbbas merged 2 commits into
mainfrom
revert-fail-closed-auth

Conversation

@AbirAbbas

@AbirAbbas AbirAbbas commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Summary

Reverts the fail-closed auth family — #682 (8ff2bc7a, API key / issue #424) and #691 (bc0f7c78, admin token / issue #425). #682 shipped in v0.1.94 / v0.1.95-rc.1 and lines up with a sudden error spike over the prior two days. #691 builds directly on #682's plumbing, so they revert together.

Reverts newest-first (#691 then #682); applies cleanly with no conflicts.

Why revert

Regression. Before #682, a control plane with no AGENTFIELD_API_KEY ran open. After it, an empty key makes the server refuse to boot unless AGENTFIELD_INSECURE_DISABLE_AUTH=true is also set:

Failed to create AgentField server: invalid API authentication configuration:
API key is required; set AGENTFIELD_API_KEY or explicitly set AGENTFIELD_INSECURE_DISABLE_AUTH=true

The safe insecure_disable_auth: true default only lives in the bundled YAML configs and the Helm no-secret branch. But the Docker image copies that config to /etc/agentfield/config, while the server only searches $HOME/.agentfield, ./config, and . — so image/env-based deploys (plain docker run, Railway, custom k8s) never load it and crash-loop on startup after upgrading. #691 applies the identical fail-closed pattern to admin routes (narrower: only when DID authorization is enabled).

Redundant config. An unset AGENTFIELD_API_KEY is already the signal for "no auth"; setting the key is what enables secure mode. The new AGENTFIELD_INSECURE_DISABLE_AUTH / AGENTFIELD_INSECURE_ADMIN_NO_TOKEN flags duplicate that signal. Same for the admin token.

Verified locally

  • Both reverts apply cleanly on latest main; the three core auth files (auth.go, config.go, server.go) restore exactly to their pre-fix state.
  • go build ./cmd/agentfield-server, go vet ./..., and go test ./... (control-plane) all pass.
  • Keyless server boots again: /health → 200, old open behavior restored.

Follow-up

The concerns in #424 / #425 (open-by-default with no signal) are reasonable, but should be re-addressed without breaking existing keyless deploys — a loud startup WARN rather than refusing to boot. The Docker image config-path gap (config shipped to a directory the server never searches) should also be fixed regardless.

Test Plan

  • go build, go vet, go test ./... (control-plane)
  • Keyless boot verified locally
  • Auth files match pre-fix state exactly

@AbirAbbas AbirAbbas requested a review from a team as a code owner June 27, 2026 23:28
@github-actions

github-actions Bot commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

📊 Coverage gate

Thresholds from .coverage-gate.toml: per-surface ≥ 84%, aggregate ≥ 85%, max per-surface regression ≤ 1.0 pp, max aggregate regression ≤ 0.50 pp.

Surface Current Baseline Δ
control-plane 87.00% 87.40% ↓ -0.40 pp 🟡
sdk-go 91.80% 92.00% ↓ -0.20 pp 🟢
sdk-python 93.87% 93.73% ↑ +0.14 pp 🟢
sdk-typescript 90.05% 90.42% ↓ -0.37 pp 🟢
web-ui 84.83% 84.79% ↑ +0.04 pp 🟡
aggregate 85.63% 85.75% ↓ -0.12 pp 🟡

✅ Gate passed

No surface regressed past the allowed threshold and the aggregate stayed above the floor.

@github-actions

github-actions Bot commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

📐 Patch coverage gate

Threshold: 80% on lines this PR touches vs origin/main (from .coverage-gate.toml:thresholds.min_patch).

Surface Touched lines Patch coverage Status
control-plane 9 100.00%
sdk-go 0 ➖ no changes
sdk-python 0 ➖ no changes
sdk-typescript 0 ➖ no changes
web-ui 0 ➖ no changes

✅ Patch gate passed

Every surface whose lines were touched by this PR has patch coverage at or above the threshold.

@AbirAbbas AbirAbbas changed the title Revert "fix(#424): fail closed on empty API key" (#682) Revert fail-closed auth: #682 (API key) + #691 (admin token) Jun 27, 2026
@AbirAbbas AbirAbbas force-pushed the revert-fail-closed-auth branch from 001caeb to 5e12474 Compare June 27, 2026 23:41
@AbirAbbas AbirAbbas merged commit bee7eb5 into main Jun 27, 2026
28 checks passed
@AbirAbbas AbirAbbas deleted the revert-fail-closed-auth branch June 27, 2026 23:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant