Skip to content

Guardian: mTLS adapter auth + keep authn/authz seams generic  #435

Description

@itlackey

Guardian: mTLS adapter auth + keep the authn/authz seams generic (public ships Basic only)

Public-repo scope for guardian auth: keep authentication to the current Basic (OpenCode) model, add mTLS for adapter transport identity, and keep the #429/#433 seams generic so additional providers can be supplied downstream — without the public guardian shipping them. The public guardian stays single-tenant with Basic auth.

An extension of the 0.12.0 seams (#429/#433), not a re-architecture.

Public authentication (current — unchanged)

New public strategy

Keep the seams generic (so providers can be supplied downstream)

Security invariants

  • Default-deny gate; credentials/tokens never logged; guardian-only ingress, fail-closed moderation, loopback-default assistant — all unchanged.

Out of public scope

Additional authentication providers and any richer authorization model are not part of the public guardian — only Basic (+ mTLS) ship here. The seams above exist precisely so such providers can be supplied downstream without forking the guardian.

Dependencies / relationships


Public scope: Basic (OpenCode) auth (current) + mTLS adapter transport identity, with generic authn/authz seams. Additional providers and richer authorization are out of public scope.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions