Please report security issues privately to the maintainers at security@gladia.io (placeholder — confirm address-of-record before publishing). Do not file public GitHub issues for vulnerabilities.

We aim to acknowledge reports within 3 business days and ship a fix or mitigation within 14 days for confirmed issues.

Affected versions: all commits before this fix landed (every release of OpenRunner up to and including the one immediately preceding the guardrail commit).

The bundled docker-compose.yml substituted an empty string when no SECRET_KEY was provided, and .env.example shipped with the placeholder change-me-in-production. The API server still booted and signed JWTs with that value, which made authentication tokens trivially forgeable against any account on a self-hosted instance that used the bundled defaults unmodified.

Fix. A boot-time guardrail in app/core/config.py (validate_production_security) now refuses to start the API server when SECRET_KEY is empty or equals change-me-in-production and DEBUG=false. Local development with DEBUG=true is unaffected. Operators who shipped the bundled defaults must rotate SECRET_KEY to a strong random value (python -c "import secrets; print(secrets.token_urlsafe(48))") and invalidate any active sessions issued before the rotation.