Revert fail-closed auth: #682 (API key) + #691 (admin token)#694
Merged
Conversation
Contributor
📊 Coverage gateThresholds from
✅ Gate passedNo surface regressed past the allowed threshold and the aggregate stayed above the floor. |
Contributor
📐 Patch coverage gateThreshold: 80% on lines this PR touches vs
✅ Patch gate passedEvery surface whose lines were touched by this PR has patch coverage at or above the threshold. |
001caeb to
5e12474
Compare
This was referenced Jun 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reverts the fail-closed auth family — #682 (
8ff2bc7a, API key / issue #424) and #691 (bc0f7c78, admin token / issue #425). #682 shipped in v0.1.94 / v0.1.95-rc.1 and lines up with a sudden error spike over the prior two days. #691 builds directly on #682's plumbing, so they revert together.Reverts newest-first (#691 then #682); applies cleanly with no conflicts.
Why revert
Regression. Before #682, a control plane with no
AGENTFIELD_API_KEYran open. After it, an empty key makes the server refuse to boot unlessAGENTFIELD_INSECURE_DISABLE_AUTH=trueis also set:The safe
insecure_disable_auth: truedefault only lives in the bundled YAML configs and the Helm no-secret branch. But the Docker image copies that config to/etc/agentfield/config, while the server only searches$HOME/.agentfield,./config, and.— so image/env-based deploys (plaindocker run, Railway, custom k8s) never load it and crash-loop on startup after upgrading. #691 applies the identical fail-closed pattern to admin routes (narrower: only when DID authorization is enabled).Redundant config. An unset
AGENTFIELD_API_KEYis already the signal for "no auth"; setting the key is what enables secure mode. The newAGENTFIELD_INSECURE_DISABLE_AUTH/AGENTFIELD_INSECURE_ADMIN_NO_TOKENflags duplicate that signal. Same for the admin token.Verified locally
main; the three core auth files (auth.go,config.go,server.go) restore exactly to their pre-fix state.go build ./cmd/agentfield-server,go vet ./..., andgo test ./...(control-plane) all pass./health→ 200, old open behavior restored.Follow-up
The concerns in #424 / #425 (open-by-default with no signal) are reasonable, but should be re-addressed without breaking existing keyless deploys — a loud startup
WARNrather than refusing to boot. The Docker image config-path gap (config shipped to a directory the server never searches) should also be fixed regardless.Test Plan
go build,go vet,go test ./...(control-plane)