feat(security): audit gateway HTTP no-auth exposure

2026-04-03 03:03:24 -04:00 · 2026-02-19 14:25:45 +01:00
parent 808a60d3bd
commit e3e0ffd801
7 changed files with 130 additions and 9 deletions
--- a/docs/cli/security.md
+++ b/docs/cli/security.md
@@ -27,6 +27,7 @@ The audit warns when multiple DM senders share the main session and recommends *
 It also warns when small models (`<=300B`) are used without sandboxing and with web/browser tools enabled.
 For webhook ingress, it warns when `hooks.defaultSessionKey` is unset, when request `sessionKey` overrides are enabled, and when overrides are enabled without `hooks.allowedSessionKeyPrefixes`.
 It also warns when sandbox Docker settings are configured while sandbox mode is off, when `gateway.nodes.denyCommands` uses ineffective pattern-like/unknown entries, when global `tools.profile="minimal"` is overridden by agent tool profiles, and when installed extension plugin tools may be reachable under permissive tool policy.
+It warns when `gateway.auth.mode="none"` leaves Gateway HTTP APIs reachable without a shared secret (`/tools/invoke` plus any enabled `/v1/*` endpoint).

 ## JSON output

--- a/docs/gateway/security/index.md
+++ b/docs/gateway/security/index.md
@@ -114,6 +114,7 @@ High-signal `checkId` values you will most likely see in real deployments (not e
 | `fs.config.perms_world_readable`             | critical      | Config can expose tokens/settings                        | filesystem perms on config file                  | yes      |
 | `gateway.bind_no_auth`                       | critical      | Remote bind without shared secret                        | `gateway.bind`, `gateway.auth.*`                 | no       |
 | `gateway.loopback_no_auth`                   | critical      | Reverse-proxied loopback may become unauthenticated      | `gateway.auth.*`, proxy setup                    | no       |
+| `gateway.http.no_auth`                       | warn/critical | Gateway HTTP APIs reachable with `auth.mode="none"`      | `gateway.auth.mode`, `gateway.http.endpoints.*`  | no       |
 | `gateway.tools_invoke_http.dangerous_allow`  | warn/critical | Re-enables dangerous tools over HTTP API                 | `gateway.tools.allow`                            | no       |
 | `gateway.tailscale_funnel`                   | critical      | Public internet exposure                                 | `gateway.tailscale.mode`                         | no       |
 | `gateway.control_ui.insecure_auth`           | critical      | Token-only over HTTP, no device identity                 | `gateway.controlUi.allowInsecureAuth`            | no       |