Summary
Deckhand's current security posture is minimal — auth is optional, there's no authorization model, and several common hardening measures are missing. This ticket covers the foundational security work needed before any non-local or multi-user deployment.
Tasks
1. Make API key required by default
- Generate a key on first run if none is configured
- Remove the "no key = no auth" bypass
- Provide clear error messaging when a client connects without a key
2. Add RBAC with read/write scopes
- Introduce at minimum two scopes:
read (monitoring: list agents, get state, subscribe to events) and write (commanding: start/cancel agents, fire actions/signals, set state)
- API keys should be associated with a scope
- Reject write operations from read-only keys with 403
3. Add CORS middleware locked to localhost
- Only allow origins from
localhost / 127.0.0.1
- Relevant for any future web-based Property Inspector or dashboard clients
4. Add rate limiting
- Simple token-bucket or fixed-window rate limiting on API endpoints
- Prevent a misbehaving client from flooding the service
- Configurable limits via settings
5. Move WebSocket auth from query param to first-message handshake
- Currently the token is passed as
?token=<key> which leaks into server logs
- Switch to a first-message auth handshake after connection is established
- Update OpenDeck plugin bridge to use the new handshake
6. Add input validation at the API layer
- Define Pydantic models for action/signal payloads at the FastAPI route level
- Plugins should not be solely responsible for validating their own input
- Reject malformed requests before they reach plugin code
Context
From architectural review — the current model trusts all authenticated clients equally and doesn't validate input at the API boundary. These are the minimum changes needed to move from "local dev toy" to "safe local service."
Summary
Deckhand's current security posture is minimal — auth is optional, there's no authorization model, and several common hardening measures are missing. This ticket covers the foundational security work needed before any non-local or multi-user deployment.
Tasks
1. Make API key required by default
2. Add RBAC with read/write scopes
read(monitoring: list agents, get state, subscribe to events) andwrite(commanding: start/cancel agents, fire actions/signals, set state)3. Add CORS middleware locked to localhost
localhost/127.0.0.14. Add rate limiting
5. Move WebSocket auth from query param to first-message handshake
?token=<key>which leaks into server logs6. Add input validation at the API layer
Context
From architectural review — the current model trusts all authenticated clients equally and doesn't validate input at the API boundary. These are the minimum changes needed to move from "local dev toy" to "safe local service."