Eliminate hardcoded JWT secrets; auto-generate and persist on first boot#75
Merged
Conversation
Agent-Logs-Url: https://github.com/unnamedlab/OpenFoundry/sessions/4946e9a7-8630-48a0-9de0-dd0dbe34acea Co-authored-by: unnamedlab <272794385+unnamedlab@users.noreply.github.com>
Agent-Logs-Url: https://github.com/unnamedlab/OpenFoundry/sessions/4946e9a7-8630-48a0-9de0-dd0dbe34acea Co-authored-by: unnamedlab <272794385+unnamedlab@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
unnamedlab
April 30, 2026 11:36
View session
unnamedlab
pushed a commit
that referenced
this pull request
May 18, 2026
…-5-runner feat(pipeline-runner): execute pipelineplan.Plan with Iceberg providers (ADR-0045 Phase C.5)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A prior audit flagged five
JwtConfig::new("secret"|"test-secret"|...)literals across the workspace and asked for an unattended secret-bootstrap path that does not rely on.envfiles.libs/auth-middlewareJwtConfig::generate()— 256-bit HS256 secret fromrand::thread_rng().JwtConfig::load_or_generate(path)— reads/creates a hex-encoded secret file with0600perms (parent dir0700) on Unix; idempotent across restarts so existing tokens stay valid.JwtConfig::resolve_unattended(default_path)— precedenceOPENFOUNDRY_JWT_SECRET→OPENFOUNDRY_JWT_SECRET_PATH→default_path.SecretLoadError; tolerates raw-bytes secrets seeded by external KMS.Literal removal
Replaced every hardcoded literal with
JwtConfig::generate()(and thedata-asset-catalog-servicetest fixture withUuid::now_v7().to_string(), since that field is never used as a signing secret in the test). Also fixed five duplicates of the same pattern not in the original report (pipeline-authoring-service,report-service, edge-gateway rate-limit tests ×4, internalauth-middlewaretests ×2).The edge-gateway
token()test helper now takes&JwtConfiginstead of&strso the issuer and verifier share the same generated key.Unattended production path (
ingestion-replication-service)AppConfig.jwt_secretis nowOption<String>(#[serde(default)]).AppConfig.jwt_secret_path, default/var/lib/openfoundry/ingestion-replication-service/jwt.secret.main.rsfalls back toJwtConfig::resolve_unattended(...)when no secret is configured.Notes for reviewers
Option<String>+jwt_secret_path+resolve_unattended) is intentionally only applied toingestion-replication-servicebecause it is the only listed service with a non-stubmain.rs. The same wiring should be propagated to other services as their binaries are fleshed out.services/ingestion-replication-service(duplicatefn main()inbuild.rs, duplicateuseand unclosed delimiter inmain.rs) prevent that crate from compiling at HEAD; the edits here are syntactically valid and do not depend on those being fixed first.