Skip to content

fix(security): harden daemon auth boundaries#266

Open
TheusHen wants to merge 1 commit into
deeplethe:mainfrom
TheusHen:fix-security-trust-boundaries
Open

fix(security): harden daemon auth boundaries#266
TheusHen wants to merge 1 commit into
deeplethe:mainfrom
TheusHen:fix-security-trust-boundaries

Conversation

@TheusHen

@TheusHen TheusHen commented Jul 6, 2026

Copy link
Copy Markdown

What changed

This tightens two security edges that are easy to miss in day-to-day use:

  • the controller now refuses to start unauthenticated on a non-loopback bind (0.0.0.0, ::, etc.) instead of only logging a warning
  • the CLI no longer prints the actual FORKD_TOKEN value in help output when the token is supplied via env

Both keep the local dev path boring: loopback without a token still works, and authenticated network binds still work.

Why

These are trust-boundary footguns:

  • a network-exposed daemon without auth is too dangerous to allow by default
  • help text leaking bearer tokens is the kind of thing that ends up in logs, terminals, screenshots, and CI output

Checks

  • cargo fmt --check
  • cargo test -p forkd-cli -p forkd-controller
  • cargo clippy -p forkd-cli -p forkd-controller -- -D warnings
  • manual: FORKD_TOKEN=pony-secret-token-123 forkd ls --help does not print the token value
  • manual: forkd-controller serve --bind 0.0.0.0:8899 without --token-file exits with refusing unauthenticated non-loopback bind

Refuse unauthenticated non-loopback controller binds and stop clap from printing FORKD_TOKEN values in help output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant