Skip to content

CRITICAL: Squad kill switch has NO authentication #73

Closed
Closed
CRITICAL: Squad kill switch has NO authentication#73
Labels
auditbugSomething isn't workingcriticalCritical severitysecuritySecurity improvement
@rz1989s

Description

@rz1989s
rz1989s
opened on Apr 9, 2026

File: packages/agent/src/routes/squad-api.ts + index.ts:92

POST /api/squad/kill toggles kill switch without any auth. Mounted without verifyJwt. Any unauthenticated user can pause all vault operations.

Fix: Add verifyJwt middleware + admin role check.

Ref: PR #70 audit

Metadata

Metadata

Assignees

No one assigned

    Labels

    auditbugSomething isn't workingcriticalCritical severitysecuritySecurity improvement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions