Follow-up from the v0.18.4 security review of #1842 (local-loopback auth fallback for /issues/submit + /issues/add_message).
The adversarial review (docs/releases/in_progress/v0.18.4/security_review.md, finding F5) noted a possible efficacy gap, not a security issue:
- With encryption off, the global auth gate already stamps the local user for any local no-Bearer request before the handler runs, making the new
routeAllowsLocalIssueWriteFallback branch effectively redundant.
- With encryption on, a no-credential local request may be gated earlier, so it's unverified end-to-end that the new branch actually closes the original
AUTH_REQUIRED symptom Jacob hit.
The change is safe in all configurations (it never loosens auth beyond the global gate, and the remote-no-bearer 401 regression test passes). This issue is only to confirm the fix is effective for the encryption-on local/offline configuration that the reporter runs, and add an integration test for that exact path if a gap is found.
Acceptance: an integration test that reproduces the reporter's encryption-on offline config and asserts issues create succeeds without a bearer (or, if the global gate already handles it, document that and close).
Follow-up from the v0.18.4 security review of #1842 (local-loopback auth fallback for /issues/submit + /issues/add_message).
The adversarial review (docs/releases/in_progress/v0.18.4/security_review.md, finding F5) noted a possible efficacy gap, not a security issue:
routeAllowsLocalIssueWriteFallbackbranch effectively redundant.AUTH_REQUIREDsymptom Jacob hit.The change is safe in all configurations (it never loosens auth beyond the global gate, and the remote-no-bearer 401 regression test passes). This issue is only to confirm the fix is effective for the encryption-on local/offline configuration that the reporter runs, and add an integration test for that exact path if a gap is found.
Acceptance: an integration test that reproduces the reporter's encryption-on offline config and asserts
issues createsucceeds without a bearer (or, if the global gate already handles it, document that and close).