Conversation
…ride Today docsiq refuses to start when server.api_key is empty and the bind host is anything other than loopback. That's the right safe default, but it makes deployments to trusted private networks (homelabs, air-gapped clusters, single-tenant LANs) require an api key just for the boot gate, with no real adversary on the network. Add server.allow_unauthenticated (DOCSIQ_SERVER_ALLOW_UNAUTHENTICATED=true) that downgrades the non-loopback refusal to a loud warning. Default is false — every existing install behaves identically. Operators who set the override get a prominent boot-time warning naming the bound host and port plus an explicit "do NOT enable on the public internet" line. The boot-time error messages now mention the override env var so anyone hitting the refusal sees both escape hatches (set a key OR set the override) without grepping the docs. Tests: 2 new cmd-level cases (override allows non-loopback bind across '', 0.0.0.0, RFC1918 hosts; error messages mention the override env var) and 1 new config-level case proving DOCSIQ_SERVER_ALLOW_UNAUTHENTICATED is reachable via env (regression guard for viper #761 if BindEnv loop ever regresses).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
server.api_keyis empty and the bind host is anything other than loopback. That's the right safe default for any host that might be on a public network, but it makes every deployment to a trusted private network require an api key purely as a boot-gate ritual.server.allow_unauthenticated(env:DOCSIQ_SERVER_ALLOW_UNAUTHENTICATED=true) that downgrades the non-loopback refusal to a loud warning. Default isfalse— every existing install boots identically.Why opt-in instead of removing the gate
Just deleting the safety check would mean someone running
docsiq serve --host 0.0.0.0on a vps gets a fully unauthenticated docsiq exposed to the public internet — no warning, no error, full document corpus and LLM proxy reachable. The opt-in keeps that footgun closed for downstream users while letting operators on trusted networks set one env var and move on.When the override is active the warning explicitly names the exposure and tells operators not to enable it on the public internet:
Test plan
go vet -tags sqlite_fts5 ./cmd/... ./internal/config/...cleango test -tags sqlite_fts5 ./cmd/... ./internal/config/...82/82 passTestValidateServeSecurity_AllowsNonLoopbackWithOverride— override allows '', 0.0.0.0, 10.0.0.5, 192.168.1.42 to bootTestValidateServeSecurity_OverrideHintAppearsInErrors— error message mentionsDOCSIQ_SERVER_ALLOW_UNAUTHENTICATEDTestLoad_EnvOverridesServerAllowUnauthenticated— env var actually reachescfg.Server.AllowUnauthenticated0.0.0.0:37793Compatibility
Drop-in. Default value of the new key is
falseso behavior is identical for everyone who hasn't explicitly opted in.🤖 Generated with Claude Code