highcard-dev
diff --git a/‎apps/druid/adapters/cli/daemon.go‎
Lines changed: 52 additions & 1 deletion b/‎apps/druid/adapters/cli/daemon.go‎
Lines changed: 52 additions & 1 deletion
diff --git a/‎apps/druid/adapters/cli/worker_pull.go‎
Lines changed: 4 additions & 1 deletion b/‎apps/druid/adapters/cli/worker_pull.go‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎apps/druid/adapters/http/handlers/auth.go‎
Lines changed: 12 additions & 5 deletions b/‎apps/druid/adapters/http/handlers/auth.go‎
Lines changed: 12 additions & 5 deletions
diff --git a/‎apps/druid/adapters/http/handlers/scroll_handler.go‎
Lines changed: 11 additions & 6 deletions b/‎apps/druid/adapters/http/handlers/scroll_handler.go‎
Lines changed: 11 additions & 6 deletions
diff --git a/‎apps/druid/adapters/http/handlers/websocket_handler.go‎
Lines changed: 8 additions & 3 deletions b/‎apps/druid/adapters/http/handlers/websocket_handler.go‎
Lines changed: 8 additions & 3 deletions
diff --git a/‎apps/druid/core/services/runtime_access.go‎
Lines changed: 5 additions & 1 deletion b/‎apps/druid/core/services/runtime_access.go‎
Lines changed: 5 additions & 1 deletion
@@ -1,10 +1,13 @@
 package cli
 
 import (
+	"fmt"
 	"net"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
+	"time"
 
 	"github.com/gofiber/fiber/v2"
 	runtimehandlers "github.com/highcard-dev/daemon/apps/druid/adapters/http/handlers"
@@ -37,6 +40,9 @@ var k8sKubeconfig string
 var runtimeListen string
 var runtimePublicListen string
 var runtimeInternalToken string
+var runtimeAllowUnauthenticatedPublic bool
+var runtimeAllowUnauthenticatedManagement bool
+var runtimeWorkerTimeout time.Duration
 var runtimeWorkerCallbackListen string
 var runtimeWorkerCallbackURL string
 var runtimeWorkerDaemonURL string
@@ -65,6 +71,9 @@ func init() {
 	DaemonCommand.Flags().StringVar(&runtimeListen, "listen", "", "Optional management HTTP listen address, for example :8081")
 	DaemonCommand.Flags().StringVar(&runtimePublicListen, "public-listen", "", "Optional public dashboard HTTP listen address, for example :8082")
 	DaemonCommand.Flags().StringVar(&runtimeInternalToken, "internal-token", "", "Optional bearer token required for management HTTP API requests")
+	DaemonCommand.Flags().BoolVar(&runtimeAllowUnauthenticatedPublic, "unsafe-allow-unauthenticated-public", false, "Allow unauthenticated public HTTP routes without --auth-jwks-url")
+	DaemonCommand.Flags().BoolVar(&runtimeAllowUnauthenticatedManagement, "unsafe-allow-unauthenticated-management", false, "Allow unauthenticated management HTTP routes without --internal-token")
+	DaemonCommand.Flags().DurationVar(&runtimeWorkerTimeout, "worker-timeout", 20*time.Minute, "Maximum time for runtime materialization workers")
 	DaemonCommand.Flags().StringVar(&runtimeWorkerCallbackListen, "worker-callback-listen", "", "Optional internal worker callback listen address, for example :8083")
 	DaemonCommand.Flags().StringVar(&runtimeWorkerCallbackURL, "worker-callback-url", "", "URL workers use to call back to this daemon")
 	DaemonCommand.Flags().StringVar(&runtimeWorkerDaemonURL, "worker-daemon-url", "", "URL dev workers use for daemon management API calls")
@@ -93,6 +102,10 @@ func init() {
 }
 
 func runRuntimeDaemon() error {
+	loadRuntimeDaemonEnv()
+	if err := validateRuntimeDaemonAuthConfig(); err != nil {
+		return err
+	}
 	kubernetesConfig := runtimekubernetes.Config{
 		Namespace:         k8sNamespace,
 		StorageClass:      k8sStorageClass,
@@ -117,7 +130,7 @@ func runRuntimeDaemon() error {
 	manager := services.NewRuntimeScrollManager(runtime.Store)
 	supervisor := appservices.NewRuntimeSupervisor(runtime.Store, manager, runtime.Backend)
 	callbacks := appservices.NewWorkerCallbackManager()
-	loadRuntimeDaemonEnv()
+	supervisor.SetWorkerTimeout(runtimeWorkerTimeout)
 	callbackConfig := ports.RuntimeWorkerCallbackConfig{
 		Listen: runtimeWorkerCallbackListen,
 		URL:    runtimeWorkerCallbackURL,
@@ -153,9 +166,11 @@ func runRuntimeDaemon() error {
 		return err
 	}
 	scrollHandler := runtimehandlers.NewScrollHandler(supervisor, consoleService, logManager, authorizer)
+	scrollHandler.SetAllowUnauthenticatedPublic(runtimeAllowUnauthenticatedPublic)
 	websocketHandler := runtimehandlers.NewWebsocketHandler(consoleService)
 	websocketHandler.SetScrollHandler(scrollHandler)
 	websocketHandler.SetAuthorizer(authorizer)
+	websocketHandler.SetAllowUnauthenticatedPublic(runtimeAllowUnauthenticatedPublic)
 	handlers := runtimehandlers.RouteHandlers{
 		Server: runtimehandlers.NewRuntimeServer(
 			runtimehandlers.NewHealthHandler(),
@@ -218,6 +233,42 @@ func loadRuntimeDaemonEnv() {
 	if runtimeInternalToken == "" {
 		runtimeInternalToken = os.Getenv("DRUID_INTERNAL_TOKEN")
 	}
+	if !runtimeAllowUnauthenticatedPublic {
+		runtimeAllowUnauthenticatedPublic = envBool("DRUID_UNSAFE_ALLOW_UNAUTHENTICATED_PUBLIC")
+	}
+	if !runtimeAllowUnauthenticatedManagement {
+		runtimeAllowUnauthenticatedManagement = envBool("DRUID_UNSAFE_ALLOW_UNAUTHENTICATED_MANAGEMENT")
+	}
+	if runtimeWorkerTimeout == 0 {
+		runtimeWorkerTimeout = 20 * time.Minute
+	}
+	if raw := strings.TrimSpace(os.Getenv("DRUID_WORKER_TIMEOUT")); raw != "" {
+		if parsed, err := time.ParseDuration(raw); err == nil {
+			runtimeWorkerTimeout = parsed
+		}
+	}
+}
+
+func envBool(name string) bool {
+	value := strings.TrimSpace(os.Getenv(name))
+	if value == "" {
+		return false
+	}
+	parsed, err := strconv.ParseBool(value)
+	return err == nil && parsed
+}
+
+func validateRuntimeDaemonAuthConfig() error {
+	if runtimePublicListen != "" && runtimeAuthJWKSURL == "" && !runtimeAllowUnauthenticatedPublic {
+		return fmt.Errorf("public listener %s requires --auth-jwks-url or --unsafe-allow-unauthenticated-public", runtimePublicListen)
+	}
+	if runtimeListen != "" && runtimeInternalToken == "" && !runtimeAllowUnauthenticatedManagement {
+		return fmt.Errorf("management listener %s requires --internal-token or --unsafe-allow-unauthenticated-management", runtimeListen)
+	}
+	if runtimeWorkerTimeout <= 0 {
+		return fmt.Errorf("worker timeout must be greater than zero")
+	}
+	return nil
 }
 
 func openWorkerCallbackListener(listen string) (net.Listener, error) {
 
@@ -8,6 +8,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"time"
 
 	"github.com/highcard-dev/daemon/internal/callbackapi"
 	"github.com/highcard-dev/daemon/internal/core/domain"
@@ -309,7 +310,9 @@ func reportWorkerResult(action ports.RuntimeWorkerAction, result ports.RuntimeWo
 		ScrollYaml:     workerString(result.ScrollYAML),
 		Token:          action.CallbackToken,
 	}
-	res, err := client.CompleteWorkerWithResponse(context.Background(), action.RuntimeID, body)
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+	res, err := client.CompleteWorkerWithResponse(ctx, action.RuntimeID, body)
 	if err != nil {
 		return err
 	}
 
@@ -10,14 +10,20 @@ const ownerLocal = "druid-owner-id"
 
 func (h *ScrollHandler) PublicAuth(c *fiber.Ctx) error {
 	if h.authorizer == nil {
-		return c.Next()
+		if h.allowUnauthenticatedPublic {
+			return c.Next()
+		}
+		return fiber.NewError(fiber.StatusUnauthorized, "public authentication is not configured")
 	}
 	auth, err := h.authorizer.CheckHeader(c)
 	if err != nil {
 		return fiber.NewError(fiber.StatusUnauthorized, err.Error())
 	}
 	if auth == nil {
-		return c.Next()
+		if h.allowUnauthenticatedPublic {
+			return c.Next()
+		}
+		return fiber.NewError(fiber.StatusUnauthorized, "missing authorization token")
 	}
 	c.Locals(ownerLocal, auth.Subject)
 	id := c.Params("id")
@@ -46,12 +52,13 @@ func (h *ScrollHandler) authorizeRuntimeOwner(id string, subject string) error {
 
 func (h *WebsocketHandler) PublicQueryAuth(c *websocket.Conn) bool {
 	if h.authorizer == nil {
-		return true
+		return h.allowUnauthenticatedPublic
 	}
-	if _, err := h.authorizer.CheckQuery(c.Params("id"), c.Query("token")); err != nil {
+	auth, err := h.authorizer.CheckQuery(c.Params("id"), c.Query("token"))
+	if err != nil {
 		return false
 	}
-	return true
+	return auth != nil || h.allowUnauthenticatedPublic
 }
 
 type jwksProvider interface {
 
@@ -13,10 +13,11 @@ import (
 )
 
 type ScrollHandler struct {
-	supervisor     *appservices.RuntimeSupervisor
-	consoleService *services.ConsoleManager
-	logService     *services.LogManager
-	authorizer     ports.AuthorizerServiceInterface
+	supervisor                 *appservices.RuntimeSupervisor
+	consoleService             *services.ConsoleManager
+	logService                 *services.LogManager
+	authorizer                 ports.AuthorizerServiceInterface
+	allowUnauthenticatedPublic bool
 }
 
 func NewScrollHandler(supervisor *appservices.RuntimeSupervisor, consoleService *services.ConsoleManager, logService *services.LogManager, authorizer ...ports.AuthorizerServiceInterface) *ScrollHandler {
@@ -32,6 +33,10 @@ func NewScrollHandler(supervisor *appservices.RuntimeSupervisor, consoleService
 	}
 }
 
+func (h *ScrollHandler) SetAllowUnauthenticatedPublic(allow bool) {
+	h.allowUnauthenticatedPublic = allow
+}
+
 func registryCredentials(in *[]api.RegistryCredential) []domain.RegistryCredential {
 	if in == nil || len(*in) == 0 {
 		return nil
@@ -180,7 +185,7 @@ func (h *ScrollHandler) RunScrollCommand(c *fiber.Ctx, id string, command string
 	if err != nil {
 		return err
 	}
-	updated, err := h.supervisor.Run(runtimeScroll.ID, command)
+	updated, err := h.supervisor.RunWithContext(c.UserContext(), runtimeScroll.ID, command)
 	if err != nil {
 		return err
 	}
@@ -256,7 +261,7 @@ func (h *ScrollHandler) RunDaemonCommand(c *fiber.Ctx) error {
 	if request.Command == "" {
 		return fiber.NewError(fiber.StatusBadRequest, "command is required")
 	}
-	if _, err := h.supervisor.Run(c.Params("id"), request.Command); err != nil {
+	if _, err := h.supervisor.RunWithContext(c.UserContext(), c.Params("id"), request.Command); err != nil {
 		return err
 	}
 	return c.SendStatus(fiber.StatusOK)
 
@@ -11,9 +11,10 @@ import (
 )
 
 type WebsocketHandler struct {
-	consoleService *services.ConsoleManager
-	scrolls        *ScrollHandler
-	authorizer     ports.AuthorizerServiceInterface
+	consoleService             *services.ConsoleManager
+	scrolls                    *ScrollHandler
+	authorizer                 ports.AuthorizerServiceInterface
+	allowUnauthenticatedPublic bool
 }
 
 func NewWebsocketHandler(consoleService *services.ConsoleManager) *WebsocketHandler {
@@ -28,6 +29,10 @@ func (h *WebsocketHandler) SetAuthorizer(authorizer ports.AuthorizerServiceInter
 	h.authorizer = authorizer
 }
 
+func (h *WebsocketHandler) SetAllowUnauthenticatedPublic(allow bool) {
+	h.allowUnauthenticatedPublic = allow
+}
+
 func (h *WebsocketHandler) AttachConsole(c *websocket.Conn) {
 	consoleID := c.Params("console")
 	if id := c.Params("id"); id != "" {
 
@@ -8,11 +8,15 @@ import (
 )
 
 func (s *RuntimeSupervisor) Run(id string, command string) (*domain.RuntimeScroll, error) {
+	return s.RunWithContext(context.Background(), id, command)
+}
+
+func (s *RuntimeSupervisor) RunWithContext(ctx context.Context, id string, command string) (*domain.RuntimeScroll, error) {
 	session, err := s.sessionFor(id)
 	if err != nil {
 		return nil, err
 	}
-	return session.Run(command)
+	return session.RunWithContext(ctx, command)
 }
 
 func (s *RuntimeSupervisor) Ports(id string) ([]domain.RuntimePortStatus, error) {
Original file line number	Diff line number	Diff line change
`@@ -13,10 +13,11 @@ import (`
`13`	`13`	`)`
`14`	`14`
`15`	`15`	`type ScrollHandler struct {`
`16`		`- supervisor *appservices.RuntimeSupervisor`
`17`		`- consoleService *services.ConsoleManager`
`18`		`- logService *services.LogManager`
`19`		`- authorizer ports.AuthorizerServiceInterface`
	`16`	`+ supervisor *appservices.RuntimeSupervisor`
	`17`	`+ consoleService *services.ConsoleManager`
	`18`	`+ logService *services.LogManager`
	`19`	`+ authorizer ports.AuthorizerServiceInterface`
	`20`	`+ allowUnauthenticatedPublic bool`
`20`	`21`	`}`
`21`	`22`
`22`	`23`	`func NewScrollHandler(supervisor appservices.RuntimeSupervisor, consoleService services.ConsoleManager, logService services.LogManager, authorizer ...ports.AuthorizerServiceInterface) ScrollHandler {`
`@@ -32,6 +33,10 @@ func NewScrollHandler(supervisor *appservices.RuntimeSupervisor, consoleService`
`32`	`33`	`}`
`33`	`34`	`}`
`34`	`35`
	`36`	`+func (h *ScrollHandler) SetAllowUnauthenticatedPublic(allow bool) {`
	`37`	`+ h.allowUnauthenticatedPublic = allow`
	`38`	`+}`
	`39`	`+`
`35`	`40`	`func registryCredentials(in *[]api.RegistryCredential) []domain.RegistryCredential {`
`36`	`41`	`if in == nil \|\| len(*in) == 0 {`
`37`	`42`	`return nil`
`@@ -180,7 +185,7 @@ func (h ScrollHandler) RunScrollCommand(c fiber.Ctx, id string, command string`
`180`	`185`	`if err != nil {`
`181`	`186`	`return err`
`182`	`187`	`}`
`183`		`- updated, err := h.supervisor.Run(runtimeScroll.ID, command)`
	`188`	`+ updated, err := h.supervisor.RunWithContext(c.UserContext(), runtimeScroll.ID, command)`
`184`	`189`	`if err != nil {`
`185`	`190`	`return err`
`186`	`191`	`}`
`@@ -256,7 +261,7 @@ func (h ScrollHandler) RunDaemonCommand(c fiber.Ctx) error {`
`256`	`261`	`if request.Command == "" {`
`257`	`262`	`return fiber.NewError(fiber.StatusBadRequest, "command is required")`
`258`	`263`	`}`
`259`		`- if _, err := h.supervisor.Run(c.Params("id"), request.Command); err != nil {`
	`264`	`+ if _, err := h.supervisor.RunWithContext(c.UserContext(), c.Params("id"), request.Command); err != nil {`
`260`	`265`	`return err`
`261`	`266`	`}`
`262`	`267`	`return c.SendStatus(fiber.StatusOK)`
Original file line number	Diff line number	Diff line change
`@@ -8,11 +8,15 @@ import (`
`8`	`8`	`)`
`9`	`9`
`10`	`10`	`func (s RuntimeSupervisor) Run(id string, command string) (domain.RuntimeScroll, error) {`
	`11`	`+ return s.RunWithContext(context.Background(), id, command)`
	`12`	`+}`
	`13`	`+`
	`14`	`+func (s RuntimeSupervisor) RunWithContext(ctx context.Context, id string, command string) (domain.RuntimeScroll, error) {`
`11`	`15`	`session, err := s.sessionFor(id)`
`12`	`16`	`if err != nil {`
`13`	`17`	`return nil, err`
`14`	`18`	`}`
`15`		`- return session.Run(command)`
	`19`	`+ return session.RunWithContext(ctx, command)`
`16`	`20`	`}`
`17`	`21`
`18`	`22`	`func (s *RuntimeSupervisor) Ports(id string) ([]domain.RuntimePortStatus, error) {`