Skip to content

feat(auth): enforce AUTH_MODE safely#16

Merged
joeblack2k merged 2 commits into
mainfrom
codex/auth-mode-enforcement
Jun 15, 2026
Merged

feat(auth): enforce AUTH_MODE safely#16
joeblack2k merged 2 commits into
mainfrom
codex/auth-mode-enforcement

Conversation

@joeblack2k

Copy link
Copy Markdown
Owner

Summary

Supersedes PR #3 with the same AUTH_MODE enforcement feature, rebased onto current main, plus the security fix from maintainer review.

What changed

  • Enforces AUTH_MODE=enabled on non-public endpoints.
  • Adds opt-in TRUST_REMOTE_USER_HEADER support for trusted reverse proxies.
  • Keeps helper auto-enroll/bootstrap working by deferring only real helper-protocol endpoints to authorizeHelperSyncRequest.
  • Fixes the review blocker: spoofed X-RSM-Device-Type + X-RSM-Fingerprint headers no longer bypass auth on ordinary API/static routes.

Validation

  • go test ./...
  • npm ci && npm run test && npm run build && npm audit --audit-level=moderate
  • ./scripts/security-gate.sh
  • ./scripts/architecture-guard.sh
  • ./scripts/verify-contract.sh

terafin and others added 2 commits June 15, 2026 11:16
@joeblack2k joeblack2k merged commit e943dc3 into main Jun 15, 2026
8 checks passed
@joeblack2k joeblack2k deleted the codex/auth-mode-enforcement branch June 15, 2026 09:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants