oxmux: Add local client auth boundary

[nodnarbnitram]

🔗 Linked Issue

Closes #18

✅ Type of Change

• ✨ New Project/Feature
• 🐞 Bug Fix
• 📚 Documentation Update
• 🔨 Refactor or Other

📝 Summary

• Add oxmux local client authorization primitives with redacted credential metadata, structured outcomes, and independent inference/management route protection policies.
• Classify local runtime routes before dispatch, require bearer authorization for protected inference and /v0/management/* boundaries, and keep GET /health unauthenticated and stable.
• Add deterministic tests for authorized/unauthorized inference, management scope separation, bearer parsing failures, redaction, and provider-execution suppression before auth succeeds.

📐 OpenSpec Evidence

• OpenSpec change/spec: openspec/changes/add-local-client-auth-management-api-boundary/
• No OpenSpec required: N/A
• Vision/boundary impact: Preserves docs/vision.md and docs/architecture.md by keeping headless authorization, route classification, management metadata, and structured errors in oxmux; no GPUI, platform credential storage, OAuth UI, provider SDK, or app-shell behavior was added.

📖 Documentation Checklist

• I updated README.md, CONTRIBUTING.md, or OpenSpec docs when needed.
• I updated CHANGELOG.md for notable user-facing, compatibility, security, or workflow changes, or explained why it was not applicable. Not applicable: this is pre-release core boundary work documented by OpenSpec change artifacts.

✔️ Contributor Checklist

• My code follows the project's coding standards.
• I have added a .env.example file if environment variables are needed and ensured no secrets are committed.
• My pull request is focused on a single project or change.
• I preserved the oxmux shared-core and oxidemux platform-shell boundary, or documented the OpenSpec-approved reason for changing it.
• I ran mise run ci locally, or explained why it was not applicable.
• I ran mise run security locally for dependency policy and vulnerability changes, or explained why it was not applicable. Not applicable: no dependency policy or vulnerability database changes.
• I ran relevant hk checks with mise run hk-check, or explained why they were not applicable. Commit hooks ran relevant hk checks, including mise run ci, during commit creation.

💬 Additional Comments

Validation run locally:

• openspec validate --changes add-local-client-auth-management-api-boundary
• cargo test -p oxmux
• mise run ci
• LSP diagnostics on modified Rust files

Release Notes:

• Added local client authorization primitives and protected local route boundary behavior in oxmux.

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews

[greptile-apps]

Greptile Summary

This PR adds local client authorization primitives to oxmux: a bearer-token credential type with redacted debug output, independent per-scope policies for inference and management routes, structured denial outcomes, and a route classifier that enforces auth before dispatch. The GET /health path remains intentionally unauthenticated, POST /v1/chat/completions requires inference-scope credentials, and GET|POST /v0/management/* routes require management-scope credentials — each returning RFC 7235-compliant 401s with WWW-Authenticate: Bearer realm="oxmux" on failure.

Confidence Score: 5/5

Safe to merge — no P0 or P1 issues found; previous thread concerns about timing comparison and WWW-Authenticate headers are addressed in this PR.

No critical or likely-bug findings. The custom constant-time comparison, route classifier, bearer parsing, auth enforcement, redaction, and test coverage are all implemented correctly. Previous review concerns (timing side-channel, missing WWW-Authenticate, management method wildcard) have each been addressed.

No files require special attention.

Important Files Changed

Filename	Overview
crates/oxmux/src/local_client_auth.rs	New module: bearer credential, constant-time comparison, route-scope policies, authorization outcome types, and redaction — all well-structured with appropriate Debug/Display impls that never expose the raw secret.
crates/oxmux/src/local_proxy_runtime.rs	Route classifier replaces raw match on (method, path), bearer parsing added to header loop, auth enforced before inference/management dispatch, and 401 responses now include WWW-Authenticate header via constant string injection.
crates/oxmux/src/minimal_proxy.rs	Adds local_client_unauthorized and management_boundary response constructors, maps LocalClientAuthorization core error, and adds LocalClientUnauthorized error code variant — all cleanly integrated.
crates/oxmux/src/errors.rs	Adds LocalClientAuthorization CoreError variant wrapping LocalClientAuthorizationFailure; Display delegates to the failure's own formatter — minimal, correct change.
crates/oxmux/src/management.rs	Adds local_route_protection field (redacted metadata) to ManagementSnapshot, defaulting to disabled() — no breaking changes to existing fields.
crates/oxmux/tests/local_proxy_runtime.rs	Adds deterministic integration tests covering authorized/unauthorized inference, management scope separation, bearer parsing failures, duplicate header rejection, and provider-execution suppression before auth succeeds.
crates/oxmux/tests/direct_use.rs	Adds public-facade test for authorization primitives and updates ManagementSnapshot construction test with the new local_route_protection field.
crates/oxmux/tests/provider_execution.rs	Adds the new local_route_protection field to ManagementSnapshot construction in the existing mock-provider health test — trivial additive change.
crates/oxmux/src/oxmux.rs	Registers local_client_auth module and re-exports all new public types through the crate facade — complete and correct.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    REQ[Incoming TCP Request] --> PARSE[parse_bounded_headers\ncontent-length + authorization]
    PARSE --> CLASSIFY[classify_local_route]

    CLASSIFY -->|GET /health| HEALTH[200 OK\nhealth response\nno auth required]
    CLASSIFY -->|POST /v1/chat/completions| INF_CHECK{proxy_route\nconfigured?}
    CLASSIFY -->|GET or POST /v0/management/*| MGT_CHECK{proxy_route\nconfigured?}
    CLASSIFY -->|anything else| UNSUPPORTED[404 Not Found\nunsupported_path]

    INF_CHECK -->|no| UNSUPPORTED
    INF_CHECK -->|yes| INF_AUTH{inference policy\n.authorize}
    INF_AUTH -->|Denied| UNAUTH_INF[401 Unauthorized\nWWW-Authenticate: Bearer\nscope: inference]
    INF_AUTH -->|Authorized or Disabled| PROXY[MinimalProxy\nprovider execution\n200 OK]

    MGT_CHECK -->|no| UNSUPPORTED
    MGT_CHECK -->|yes| MGT_AUTH{management policy\n.authorize}
    MGT_AUTH -->|Denied| UNAUTH_MGT[401 Unauthorized\nWWW-Authenticate: Bearer\nscope: management]
    MGT_AUTH -->|Authorized or Disabled| MGT_RESP[200 OK\nmanagement boundary\nplaceholder]

Loading

_{Reviews (4): Last reviewed commit: "Remove archived production readiness cha..." | Re-trigger Greptile}