Summary
When config.APIKey is empty, APIKeyAuth silently becomes a no-op, so a production deployment that forgets to set AGENTFIELD_API_KEY runs with no HTTP authentication and emits no warning.
Context
The first lines of APIKeyAuth at auth.go:26 are if config.APIKey == "" { c.Next(); return }. A mis-injected secret, a misconfigured Kubernetes secret mount, or an accidental environment variable omission silently disables all auth for every API route. There is no startup log, no metric, and no health-check signal indicating auth is off. This has caused production outages in similar systems when ops teams deployed without noticing the missing env var.
Scope
In Scope
- Either: fail server startup when API auth is configured but the key is empty (preferred).
- Or: require an explicit
AGENTFIELD_INSECURE_DISABLE_AUTH=true (or equivalent config flag) to allow the no-op, and emit a WARN log on every request when it is active, plus a loud startup log.
- Whichever path is chosen, make it explicit and auditable.
Out of Scope
- Changing how keys are validated once present.
- Forcing API keys to meet complexity requirements — that is a separate concern.
- Modifying the admin token middleware (tracked in S7).
Files
control-plane/internal/server/middleware/auth.go:26 — replace silent no-op with explicit startup guard or insecure-mode flagcontrol-plane/internal/config/config.go — add InsecureDisableAuth bool field if taking the explicit-flag routecontrol-plane/cmd/agentfield-server/main.go — add startup validation that rejects empty API key unless insecure mode is explicitly setcontrol-plane/internal/server/middleware/auth_test.go — test: empty API key with no insecure flag causes startup error (or middleware panics with clear message)
Acceptance Criteria
Notes for Contributors
Severity: MEDIUM
Look at how AdminTokenAuth (S7) is fixed — apply the same pattern here so both middleware pieces are consistent. The startup-validation approach (fail in main.go or server.go before routes are registered) is generally easier to test than a middleware-level panic.
Summary
When
config.APIKeyis empty,APIKeyAuthsilently becomes a no-op, so a production deployment that forgets to setAGENTFIELD_API_KEYruns with no HTTP authentication and emits no warning.Context
The first lines of
APIKeyAuthatauth.go:26areif config.APIKey == "" { c.Next(); return }. A mis-injected secret, a misconfigured Kubernetes secret mount, or an accidental environment variable omission silently disables all auth for every API route. There is no startup log, no metric, and no health-check signal indicating auth is off. This has caused production outages in similar systems when ops teams deployed without noticing the missing env var.Scope
In Scope
AGENTFIELD_INSECURE_DISABLE_AUTH=true(or equivalent config flag) to allow the no-op, and emit aWARNlog on every request when it is active, plus a loud startup log.Out of Scope
Files
control-plane/internal/server/middleware/auth.go:26— replace silent no-op with explicit startup guard or insecure-mode flagcontrol-plane/internal/config/config.go— addInsecureDisableAuth boolfield if taking the explicit-flag routecontrol-plane/cmd/agentfield-server/main.go— add startup validation that rejects empty API key unless insecure mode is explicitly setcontrol-plane/internal/server/middleware/auth_test.go— test: empty API key with no insecure flag causes startup error (or middleware panics with clear message)Acceptance Criteria
APIKeyis empty and no explicit insecure-mode flag is setWARN-level log is emitted at startup and optionally on each unauthenticated requestgo test ./control-plane/...)make lint)Notes for Contributors
Severity: MEDIUM
Look at how
AdminTokenAuth(S7) is fixed — apply the same pattern here so both middleware pieces are consistent. The startup-validation approach (fail inmain.goorserver.gobefore routes are registered) is generally easier to test than a middleware-level panic.