Guardian: mTLS adapter auth + keep the authn/authz seams generic (public ships Basic only)
Public-repo scope for guardian auth: keep authentication to the current Basic (OpenCode) model, add mTLS for adapter transport identity, and keep the #429/#433 seams generic so additional providers can be supplied downstream — without the public guardian shipping them. The public guardian stays single-tenant with Basic auth.
An extension of the 0.12.0 seams (#429/#433), not a re-architecture.
Public authentication (current — unchanged)
New public strategy
Keep the seams generic (so providers can be supplied downstream)
Security invariants
- Default-deny gate; credentials/tokens never logged; guardian-only ingress, fail-closed moderation, loopback-default assistant — all unchanged.
Out of public scope
Additional authentication providers and any richer authorization model are not part of the public guardian — only Basic (+ mTLS) ship here. The seams above exist precisely so such providers can be supplied downstream without forking the guardian.
Dependencies / relationships
Public scope: Basic (OpenCode) auth (current) + mTLS adapter transport identity, with generic authn/authz seams. Additional providers and richer authorization are out of public scope.
Guardian: mTLS adapter auth + keep the authn/authz seams generic (public ships Basic only)
Public-repo scope for guardian auth: keep authentication to the current Basic (OpenCode) model, add mTLS for adapter transport identity, and keep the #429/#433 seams generic so additional providers can be supplied downstream — without the public guardian shipping them. The public guardian stays single-tenant with Basic auth.
Public authentication (current — unchanged)
channelId:channelSecret→ Principal (Guardian: opt-in moderating front door for direct OpenCode clients #429) — the single credential/identity model, as today.GUARDIAN_ADMIN_TOKEN_FILE,GUARDIAN_MCP_TOKEN_FILE) — unchanged infra plumbing.New public strategy
channel_lan). A machine/transport identity for adapters, not an identity provider. (this issue owns it — no other issue tracks it; the stale Channel adapters become official-OpenCode-SDK clients (X-to-OpenCode packages); retire channels-sdk transport #434 reference was wrong.)Keep the seams generic (so providers can be supplied downstream)
authenticate(request) → Principalstep stays a generic seam; Basic + mTLS are the public strategies behind it.Principal(Guardian state store (bun:sqlite): ingress/client registry + optional restart persistence #433).Security invariants
Out of public scope
Additional authentication providers and any richer authorization model are not part of the public guardian — only Basic (+ mTLS) ship here. The seams above exist precisely so such providers can be supplied downstream without forking the guardian.
Dependencies / relationships
Principalregistry), Configurable personas per channel (over OpenCode agents) #22 (personas), Guardian Gateway: one moderation front door speaking OpenCode-proxy, MCP + A2A (in-process) #432/Channel adapters become official-OpenCode-SDK clients (X-to-OpenCode packages); retire channels-sdk transport #434 (standard-protocol ingress + portals).Public scope: Basic (OpenCode) auth (current) + mTLS adapter transport identity, with generic authn/authz seams. Additional providers and richer authorization are out of public scope.