Skip to content

fix(app): gate admin bootstrap behind WithoutDefaults#81

Merged
jcsvwinston merged 1 commit into
mainfrom
fix/without-defaults-admin-bootstrap-leak
May 28, 2026
Merged

fix(app): gate admin bootstrap behind WithoutDefaults#81
jcsvwinston merged 1 commit into
mainfrom
fix/without-defaults-admin-bootstrap-leak

Conversation

@jcsvwinston
Copy link
Copy Markdown
Owner

@jcsvwinston jcsvwinston commented May 28, 2026

Summary

  • app.New(cfg, app.WithoutDefaults()) (and the pkg/nucleus wrappers) previously ran admin.EnsureBootstrapAdminUser unconditionally — creating the nucleus_admin_users table, a privileged admin user, and emitting a one-time generated password to stderr — even for core-only apps that never mount an admin panel.
  • The bootstrap is now gated behind the same !o.skipDefaults guard that already gates attachDefaultSubsystems, so a WithoutDefaults() app provisions no admin credentials and touches no admin schema. Default-mode app.New(cfg) behaviour is unchanged.
  • Adds regression test TestAppNew_WithoutDefaults_DoesNotBootstrapAdmin and an [Unreleased] → Security CHANGELOG entry (patch bump).

This clears the long-standing P1 carry-forward backlog item.

Iteration loop

  • architect-reviewer: PASS (aligns with SPEC §3.1 "WithoutDefaults = core only"; no ADR needed)
  • code-reviewer: NITS only — addressed (tightened test assertion, trimmed comment)
  • security-auditor: PASS (leak fully closed; no secret-logging regression)
  • contract-guardian: PASS — contract freeze 6/6, no stable symbol/CLI/config change
  • test-runner: full go test ./... green (33 packages)

Follow-up (not in this PR)

All three reviewers flagged (SHOULD, non-blocking) that the admin-auth DB resolution just above the bootstrap still runs under WithoutDefaults(). Harmless today, but a core-only app with a bad admin_auth_database alias would fail at startup. Captured in .claude/state/CURRENT_ITERATION.md backlog.

Test plan

  • go test ./pkg/app/ -run TestAppNew_WithoutDefaults passes
  • go test ./... green locally
  • CI "Required Gate" green (full matrix incl. live MSSQL/Oracle)

🤖 Generated with Claude Code

@jcsvwinston @claude
fix(app): gate admin bootstrap behind WithoutDefaults
b018d72 
app.New(cfg, app.WithoutDefaults()) ran admin.EnsureBootstrapAdminUser
unconditionally, creating the nucleus_admin_users table, a privileged admin
user, and a one-time stderr password even for core-only apps that never mount
an admin panel. Gate the bootstrap behind the same !o.skipDefaults guard that
already gates the default subsystems, so a WithoutDefaults() app provisions no
admin credentials. Default-mode app.New(cfg) behaviour is unchanged.

Adds regression test TestAppNew_WithoutDefaults_DoesNotBootstrapAdmin, an
[Unreleased] Security CHANGELOG entry, and refreshes the session state files.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jcsvwinston jcsvwinston merged commit 1702770 into main May 28, 2026
10 checks passed
@jcsvwinston jcsvwinston deleted the fix/without-defaults-admin-bootstrap-leak branch May 28, 2026 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jcsvwinston