Skip to content

security(a2a,gateway): warn when bearer auth is disabled#904

Merged
bug-ops merged 4 commits intomainfrom
feat/855-access-control
Feb 25, 2026
Merged

security(a2a,gateway): warn when bearer auth is disabled#904
bug-ops merged 4 commits intomainfrom
feat/855-access-control

Conversation

@bug-ops
Copy link
Owner

@bug-ops bug-ops commented Feb 25, 2026

Summary

Both servers already support configurable bearer auth via with_auth(); the warning surfaces misconfiguration at startup without changing default behavior.

Test plan

  • Verify existing auth middleware tests pass (cargo nextest run -p zeph-a2a -p zeph-gateway)
  • Start server without with_auth() — confirm WARN line appears in logs
  • Start server with with_auth(Some("token")) — confirm no warning emitted

Closes #869, #873, #855

@bug-ops
security(a2a,gateway): warn when bearer auth is disabled
266639b 
Emit tracing::warn! in A2aServer::serve() and GatewayServer::serve()
when auth_token is None so operators are alerted to unauthenticated
network exposure at startup.

Closes #869, #873
@github-actions github-actions bot added documentation Improvements or additions to documentation rust size/S labels Feb 25, 2026
This was linked to issues Feb 25, 2026
Epic: Access control completeness #855
Closed
Gateway auth disabled by default with no warning #873
Closed
@bug-ops
Merge remote-tracking branch 'origin/main' into feat/855-access-control
d749f23
@bug-ops
docs,test(a2a,gateway): update docs, READMEs and add missing gateway …
f9a9358 
…auth test

- Add no_auth_when_token_unset test to zeph-gateway router test suite
- Update security.md with A2A/gateway bearer auth configuration docs
- Update configuration.md with gateway TOML block and env vars
- Update zeph-a2a and zeph-gateway READMEs with auth section
@github-actions github-actions bot added size/M and removed size/S labels Feb 25, 2026
@bug-ops bug-ops enabled auto-merge (squash) February 25, 2026 19:03
@bug-ops bug-ops merged commit b02cb83 into main Feb 25, 2026
28 checks passed
@bug-ops bug-ops deleted the feat/855-access-control branch February 25, 2026 19:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation rust size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Gateway auth disabled by default with no warning A2A server exposes JSON-RPC endpoint without authentication Epic: Access control completeness

1 participant

@bug-ops