feat(dev): enforce module auth in --tunnel mode by injecting MS_INTERNAL_SECRET#33
Merged
Merged
Conversation
3 tasks
…NAL_SECRET
`mirrorstack dev --tunnel` exposes the module's localhost:8080 to remote
callers via dispatch's Leaf-1 307 redirect. Today the spawned module
process has no MS_INTERNAL_SECRET, so the SDK's InternalAuth middleware
takes the local-dev bypass branch — and any remote caller can hit
/__mirrorstack/* without auth. The whole point of tunnel mode is to be
production-shaped for dev-test, so the bypass is wrong here.
What this PR does:
- On --tunnel, mint a 32-byte URL-safe-b64 secret (OsRng).
- Set MS_INTERNAL_SECRET=<secret> on the `go run .` child process, which
flips the bypass-vs-enforce matrix in
app-module-sdk/auth/middleware.go to "enforce".
- Send the same secret to dispatch in the WSS register frame as a new
`internal_secret` field (skip_serializing_if = Option::is_none, so
older dispatch builds keep round-tripping the frame intact).
Follow-ups (separate PRs, separate repos):
- api-platform/dispatch: parse `internal_secret` on register, persist
in the ws.Session record, and attach `X-MS-Internal-Secret: <secret>`
to every forwarded request — including the manifest fetcher (which
will start 401ing the moment this CLI lands without the dispatch fix).
- app-module-sdk: add PlatformAuth identity injection from signed
headers so /platform/* can be reached end-to-end.
See memory/feedback_tunnel_auth_no_bypass.md for the architecture rule
("tunnel mode never bypasses; CLI auto-injects; dispatch signs").
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
a89a37c to
479f32b
Compare
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the security gap where `mirrorstack dev --tunnel` exposes the module's `localhost:8080` to remote callers (via dispatch's Leaf-1 307) without ever setting `MS_INTERNAL_SECRET` — so the SDK's InternalAuth middleware takes the local-dev bypass branch and any caller can hit `/__mirrorstack/*` unauthenticated.
This PR is the first slice of the wider tunnel-auth workstream (see memory/feedback_tunnel_auth_no_bypass.md). Architecture rule: tunnel mode never bypasses auth; the CLI auto-injects secrets; dispatch signs forwarded requests.
What changes
Diff: +90 / -21 across 3 files in `src/commands/dev/`. No behavior change when `--tunnel` is unset.
Cascade (separate PRs, separate repos)
This PR alone will break the existing dev-mount manifest fetch because dispatch doesn't yet read or forward the new field, so the platform's HTTP call to `/__mirrorstack/platform/manifest` will start 401ing the moment a dev runs the new CLI. Coordinated follow-ups:
Test plan
🤖 Generated with Claude Code