Skip to content

Security: default gateway auth bootstrap and explicit mode none#20686

Merged
gumadeiras merged 9 commits intomainfrom
codex/gateway-auth-bootstrap-token
Feb 19, 2026
Merged

Security: default gateway auth bootstrap and explicit mode none#20686
gumadeiras merged 9 commits intomainfrom
codex/gateway-auth-bootstrap-token

Conversation

@gumadeiras
Copy link
Member

@gumadeiras gumadeiras commented Feb 19, 2026
edited by greptile-apps bot
Loading

Summary

  • Fix root auth-policy drift by making secure startup the default:
    • unresolved/missing gateway auth now resolves to token mode (no implicit fallback-to-open behavior)
    • gateway startup auto-generates and persists gateway.auth.token when missing
  • Restore explicit advanced opt-out via gateway.auth.mode: "none" (manual config only)
    • not surfaced in onboarding/configure auth prompts
    • non-loopback binds still reject without auth
  • Centralize startup auth bootstrap logic in one shared helper and reuse it across gateway startup + browser control auth bootstrap
  • Harden CLI startup override handling to avoid passing undefined override fields that could clobber configured auth
  • Update docs/changelog to reflect explicit mode: "none" and secure defaults

Root Problem

The previous behavior mixed multiple auth defaults across codepaths and allowed implicit runtime states that diverged from setup/configure/doctor expectations. This created policy drift and unclear operator behavior.

Implementation Plan (executed)

  1. One source of truth for startup auth bootstrap
  2. Secure default when auth is missing (auto-generate token)
  3. Explicit mode: "none" support only when intentionally configured
  4. Preserve strict bind/auth matrix for non-loopback
  5. Align docs/changelog + regression tests

Key Files

  • src/gateway/startup-auth.ts
  • src/gateway/server.impl.ts
  • src/browser/control-auth.ts
  • src/gateway/auth.ts
  • src/cli/gateway-cli/run.ts
  • src/config/types.gateway.ts
  • src/config/zod-schema.ts

Tests

  • pnpm check
  • pnpm vitest run src/gateway/auth.test.ts src/gateway/startup-auth.test.ts src/browser/control-auth.test.ts src/browser/control-auth.auto-token.test.ts src/gateway/server-runtime-config.test.ts src/cli/gateway-cli/run.option-collisions.test.ts
  • pnpm vitest run --config vitest.e2e.config.ts src/gateway/server.auth.e2e.test.ts

Notes

  • Added real regression coverage for explicit mode: "none" loopback connect behavior in gateway auth e2e tests.

Greptile Summary

This PR enhances gateway security by making token authentication the secure default while preserving explicit opt-out capability. The implementation centralizes auth bootstrap logic and eliminates implicit fallback-to-open behavior that previously created policy drift.

Key changes:

  • Centralized startup auth bootstrap in startup-auth.ts with auto-generation and persistence of gateway.auth.token when missing
  • Changed default auth resolution from "none" to "token" mode in auth.ts:198
  • Added explicit mode: "none" support for intentional open loopback setups (rejected for non-loopback binds)
  • Hardened CLI override handling to prevent undefined fields from clobbering configured auth via explicit merge logic
  • Reused bootstrap logic across gateway startup and browser control auth paths

The change maintains strict bind/auth matrix validation - non-loopback binds still require authentication or explicit trusted-proxy mode, and mode: "none" is correctly rejected for non-loopback binds as shown in test coverage.

Confidence Score: 5/5

  • This PR is safe to merge with very high confidence
  • The implementation is well-architected with comprehensive test coverage across unit tests, integration tests, and E2E tests. The security-focused changes (secure defaults, explicit opt-out, centralized bootstrap logic) follow security best practices. All edge cases are covered including explicit mode: "none", undefined override handling, non-loopback bind validation, and integration with browser control auth. The changes are backwards-compatible for users with existing auth configuration while improving security for new deployments.
  • No files require special attention

Last reviewed commit: 7c1a7ee

Copilot AI review requested due to automatic review settings February 19, 2026 06:42
@openclaw-barnacle openclaw-barnacle bot added docs Improvements or additions to documentation gateway Gateway runtime cli CLI command changes size: L maintainer Maintainer-authored PR labels Feb 19, 2026
@gumadeiras gumadeiras self-assigned this Feb 19, 2026
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens Gateway startup authentication by making secure token auth the default when auth config is missing/unresolved, while reintroducing an explicit opt-out (gateway.auth.mode: "none") intended only for trusted loopback setups. It centralizes auth bootstrapping so both Gateway startup and browser control auth follow the same rules, and adjusts CLI override merging to avoid clobbering config with undefined.

Changes:

  • Add shared startup auth bootstrap that auto-generates/persists gateway.auth.token when needed, and reuse it across Gateway + browser control auth flows.
  • Change unresolved/missing gateway auth default from implicit open (none) to secure (token), while supporting explicit config mode: "none" for loopback-only use.
  • Harden CLI/runtime auth+tailscale override merging and expand test coverage (unit + e2e) for the new behavior.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated no comments.

Show a summary per file
File Description
src/gateway/startup-auth.ts New helper to merge overrides safely and bootstrap/persist a missing token on startup.
src/gateway/startup-auth.test.ts Unit tests covering token auto-generation/persistence and override merging behavior.
src/gateway/server.impl.ts Invokes startup auth bootstrap early during server startup and logs when a token is generated.
src/gateway/server.auth.e2e.test.ts Adds e2e coverage for explicit mode: "none" loopback connect behavior.
src/gateway/server-runtime-config.ts Uses shared merge helpers to avoid undefined override clobbering.
src/gateway/server-runtime-config.test.ts Adds runtime-config tests for explicit none-mode bind allow/deny matrix.
src/gateway/auth.ts Defaults unresolved auth to token mode; authorizes mode: "none" explicitly.
src/gateway/auth.test.ts Updates expectations for new default; adds tests for explicit none mode and authorize behavior.
src/config/zod-schema.ts Extends config schema to allow gateway.auth.mode: "none".
src/config/types.gateway.ts Extends GatewayAuthMode to include "none" and updates mode default docstring.
src/cli/gateway-cli/run.ts Avoids passing undefined override fields; permits startup bootstrap path for token-without-token cases; warns on none mode.
src/cli/gateway-cli/run.option-collisions.test.ts Adds regression test ensuring CLI can start in token mode without a configured token (bootstrap path).
src/browser/control-auth.ts Reuses shared startup auth bootstrap; respects explicit none mode (no auto token generation).
src/browser/control-auth.test.ts Adds test ensuring none mode doesn’t auto-generate a token.
src/browser/control-auth.auto-token.test.ts Adds test ensuring auto-token logic respects explicit none mode.
docs/help/faq.md Updates localhost token FAQ to reflect secure defaults + explicit none opt-out.
docs/gateway/configuration-reference.md Documents auth.mode: "none" and updates inline mode list.
CHANGELOG.md Adds fix note describing secure default + explicit none opt-out behavior.

@gumadeiras gumadeiras force-pushed the codex/gateway-auth-bootstrap-token branch 2 times, most recently from 8202111 to 3201e5e Compare February 19, 2026 07:06
arosstale
arosstale reviewed Feb 19, 2026
View reviewed changes
Copy link
Contributor

@arosstale arosstale left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The explicit mode separation (password/token/none instead of implicit empty-config = open) is the right direction — removes a large footgun class. The mergeGatewayAuthConfig shallow-merge pattern looks correct for runtime overrides. One edge case worth verifying: if mode: none is set but a token is also present in config, does resolveGatewayAuth treat mode as authoritative and ignore the token? Worth a test asserting mode: none + token: 'x' → unauthenticated.

@gumadeiras
Copy link
Member Author

gumadeiras commented Feb 19, 2026

The explicit mode separation (password/token/none instead of implicit empty-config = open) is the right direction — removes a large footgun class. The mergeGatewayAuthConfig shallow-merge pattern looks correct for runtime overrides. One edge case worth verifying: if mode: none is set but a token is also present in config, does resolveGatewayAuth treat mode as authoritative and ignore the token? Worth a test asserting mode: none + token: 'x' → unauthenticated.

mode takes precedence so if mode: none is set then it will be unauthenticated

@gumadeiras gumadeiras force-pushed the codex/gateway-auth-bootstrap-token branch 2 times, most recently from c10f70a to 47b6c28 Compare February 19, 2026 07:33
@gumadeiras gumadeiras force-pushed the codex/gateway-auth-bootstrap-token branch from 47b6c28 to be1b731 Compare February 19, 2026 07:35
@gumadeiras gumadeiras merged commit c5698ca into main Feb 19, 2026
8 checks passed
@gumadeiras gumadeiras deleted the codex/gateway-auth-bootstrap-token branch February 19, 2026 07:35
@gumadeiras
Copy link
Member Author

gumadeiras commented Feb 19, 2026

Merged via squash.

Thanks @gumadeiras!

@github-actions github-actions bot mentioned this pull request Feb 19, 2026
Open
anschmieg pushed a commit to anschmieg/openclaw that referenced this pull request Feb 19, 2026
@gumadeiras @anschmieg
Security: default gateway auth bootstrap and explicit mode none (open…
404dae2 
…claw#20686)

Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: be1b731
Co-authored-by: gumadeiras <[email protected]>
Co-authored-by: gumadeiras <[email protected]>
Reviewed-by: @gumadeiras
yneth-ray-openclaw pushed a commit to yneth-ray-openclaw/openclaw that referenced this pull request Feb 19, 2026
@gumadeiras @yneth-ray-openclaw
Security: default gateway auth bootstrap and explicit mode none (open…
b34fc1a 
…claw#20686)

Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: be1b731
Co-authored-by: gumadeiras <[email protected]>
Co-authored-by: gumadeiras <[email protected]>
Reviewed-by: @gumadeiras
vignesh07 pushed a commit to pahdo/openclaw that referenced this pull request Feb 20, 2026
@gumadeiras @vignesh07
Security: default gateway auth bootstrap and explicit mode none (open…
bfb7fbc 
…claw#20686)

Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: be1b731
Co-authored-by: gumadeiras <[email protected]>
Co-authored-by: gumadeiras <[email protected]>
Reviewed-by: @gumadeiras
@github-actions github-actions bot mentioned this pull request Feb 20, 2026
Open
@jiulingyun jiulingyun mentioned this pull request Feb 20, 2026
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@arosstale arosstale arosstale left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@gumadeiras gumadeiras

Labels

cli CLI command changes docs Improvements or additions to documentation gateway Gateway runtime maintainer Maintainer-authored PR size: L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gumadeiras @arosstale

Comments