Skip to content

bug(security): HTTP endpoints fail-open without ADMIN_SECRET #28

Open
Open
bug(security): HTTP endpoints fail-open without ADMIN_SECRET#28
Labels
area:securityAuth, fail-open, endpoint hardeningbugSomething isn't workingpriority:mediumShould fix — meaningful but not urgent

Description

@mikeumus
mikeumus
opened on Jun 17, 2026

Priority: MED — security.

The self-hosted worker's HTTP endpoints (/spend, /usage, /check, /test-alert) are unauthenticated unless ADMIN_SECRET is set, and /check can trigger destructive actions while /test-alert can be spammed. Default to fail-closed (refuse if no ADMIN_SECRET configured) rather than fail-open.

From FEEDBACK-from-divinci-deployment.md — real-world findings from the Divinci self-hosted deployment, 2026-06-17.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:securityAuth, fail-open, endpoint hardeningbugSomething isn't workingpriority:mediumShould fix — meaningful but not urgent

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions