Skip to content

Harden auth and secret handling#153

Open
likawa3b wants to merge 2 commits into
brokermr810:mainfrom
likawa3b:security-hardening-auth-secrets
Open

Harden auth and secret handling#153
likawa3b wants to merge 2 commits into
brokermr810:mainfrom
likawa3b:security-hardening-auth-secrets

Conversation

@likawa3b

Copy link
Copy Markdown

Summary

  • restrict legacy env-admin auth fallback to explicit single-user mode
  • mask password/secret settings responses and expand agent audit redaction keys
  • reject inline strategy exchange secrets unless using credential_id, and redact persisted strategy config responses
  • bind frontend compose port to localhost by default and ignore local secret/review artifacts

Validation

  • docker pytest: 40 passed, 3 warnings
  • docker compileall for changed backend modules: passed
  • git diff --check: passed
  • local deploy: backend/frontend rebuilt and healthy at http://127.0.0.1:8889
  • deployed smoke: frontend 200, admin login code=1, settings values returned no raw secret fields

Reviewer Pass

  • ponytail-review: scoped pass, no over-engineering issue requiring patch
  • claude/gemini/glm wrapper attempted; Gemini failed inside grep_search regex, Claude returned max-turns only, GLM failed before review due WSL timeout; no actionable reviewer findings were produced

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant