test: add self-hosted zero-config mode tests#2
Merged
Conversation
Tests for the zero-configuration self-hosted mode where users can run AxonFlow without any API keys, license keys, or credentials. Test coverage includes: - Client creation without credentials for localhost (using WireMock) - Gateway Mode (getPolicyApprovedContext, auditLLMCall) with empty tokens - Proxy Mode (executeQuery) without authentication - Policy enforcement (SQL injection, PII) still works without auth - Health check without credentials - First-time user experience validation - Verification that auth headers are not sent for localhost Related: getaxonflow/axonflow-enterprise#682
saurabhjain1592
added a commit
that referenced
this pull request
Jan 6, 2026
Adds comprehensive tests for self-hosted zero-config mode using WireMock. Test coverage: - Client initialization without credentials for localhost - Gateway Mode with empty/whitespace user tokens - Proxy Mode without authentication - Policy enforcement (SQL injection, PII) still works - Health check without credentials - First-time user experience simulation - Verification that auth headers not sent for localhost Part of Issue #682 (axonflow-enterprise)
saurabhjain1592
added a commit
that referenced
this pull request
Jun 16, 2026
…orkflow perms + example SDK bump Three security alerts on axonflow-sdk-java: 1. CodeQL java/insecure-trustmanager (#8, high) at HttpClientFactory.java. The trust-all path is an intentional, double-gated development escape hatch for self-signed certs (requires BOTH insecureSkipVerify(true) AND AXONFLOW_INSECURE_TLS env var). Rather than remove the dev affordance, this adds a hard production guard: when a production-like deployment environment is detected (ENVIRONMENT / AXONFLOW_ENVIRONMENT / APP_ENV / SPRING_PROFILES_ACTIVE / NODE_ENV / ... carrying a 'prod'/'production' token), the insecure path is REFUSED outright, TLS verification stays enabled, and a SECURITY error is logged naming the signalling variable. New tests prove the guard PREVENTS the insecure path (not just logs), handles compound values (prod,metrics), and does not false-positive on non-production values. Alert to be dismissed-by-design on #2711 now that the production path is belt-and-suspenders hardened. Real code change -> VERSION bumped 8.5.0 -> 8.5.1 + CHANGELOG. 2. CodeQL actions/missing-workflow-permissions (#9, med) on heartbeat-real-stack.yml: added a top-level least-privilege 'permissions: contents: read' block (workflow only checks out + tests). Block kept identical to the axonflow-sdk-typescript fix for coherence. 3. Dependabot #2 (med): examples/wcp-retry-idempotency/pom.xml pinned a stale com.getaxonflow:axonflow-sdk 5.5.0 (vulnerable < 6.0.0); bumped to the current released 8.5.0. Refs getaxonflow/axonflow-enterprise#2711 Signed-off-by: Saurabh Jain <saurabh.jain@getaxonflow.com>
saurabhjain1592
added a commit
that referenced
this pull request
Jun 16, 2026
…orkflow perms + example SDK bump (#193) Three security alerts on axonflow-sdk-java: 1. CodeQL java/insecure-trustmanager (#8, high) at HttpClientFactory.java. The trust-all path is an intentional, double-gated development escape hatch for self-signed certs (requires BOTH insecureSkipVerify(true) AND AXONFLOW_INSECURE_TLS env var). Rather than remove the dev affordance, this adds a hard production guard: when a production-like deployment environment is detected (ENVIRONMENT / AXONFLOW_ENVIRONMENT / APP_ENV / SPRING_PROFILES_ACTIVE / NODE_ENV / ... carrying a 'prod'/'production' token), the insecure path is REFUSED outright, TLS verification stays enabled, and a SECURITY error is logged naming the signalling variable. New tests prove the guard PREVENTS the insecure path (not just logs), handles compound values (prod,metrics), and does not false-positive on non-production values. Alert to be dismissed-by-design on #2711 now that the production path is belt-and-suspenders hardened. Real code change -> VERSION bumped 8.5.0 -> 8.5.1 + CHANGELOG. 2. CodeQL actions/missing-workflow-permissions (#9, med) on heartbeat-real-stack.yml: added a top-level least-privilege 'permissions: contents: read' block (workflow only checks out + tests). Block kept identical to the axonflow-sdk-typescript fix for coherence. 3. Dependabot #2 (med): examples/wcp-retry-idempotency/pom.xml pinned a stale com.getaxonflow:axonflow-sdk 5.5.0 (vulnerable < 6.0.0); bumped to the current released 8.5.0. Refs getaxonflow/axonflow-enterprise#2711 Signed-off-by: Saurabh Jain <saurabh.jain@getaxonflow.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add comprehensive tests for the zero-configuration self-hosted mode where users can run AxonFlow without any API keys, license keys, or credentials.
This tests the "first run" experience:
SELF_HOSTED_MODE=trueandSELF_HOSTED_MODE_ACKNOWLEDGED=I_UNDERSTAND_NO_AUTHTest Coverage
All tests use WireMock for mocking the agent endpoints.
How to Run
mvn test -Dtest=SelfHostedZeroConfigTestRelated