For HTTP deployments, enable API-key auth and role-based authorization.
Do not expose HTTP transport publicly without ENABLE_AUTH=true.
Enable auth
ENABLE_AUTH=true
AUTH_HEADER_NAME=x-api-key
AUTH_API_KEYS=viewer-key:viewer:viewer1,editor-key:editor:editor1,admin-key:admin:admin1
Roles
| Role | Permissions |
|---|
viewer | Read-only operations (list, read, search, status) |
editor | Viewer permissions + non-destructive write, build, and test operations |
admin | Full access including destructive operations (delete, restore, force push) |
Security controls in the codebase
| Control | Description |
|---|
| Path traversal prevention | All paths are resolved within the project root boundary |
| Protected-path blocking | Configured PROTECTED_PATHS cannot be mutated |
| Confirm flags | Destructive operations require explicit confirm: true |
| Command allowlist | Only commands in ALLOWED_COMMANDS can be executed |
| Output size limits | Command and resource outputs are truncated at MAX_OUTPUT_SIZE |
| Per-project locking | Mutating operations use a per-project lock to prevent race conditions |
Operational recommendations
- Rotate API keys regularly
- Use separate keys per environment
- Keep admin keys scoped to trusted automation
- Enable telemetry for request auditing