From ccef127067501f7596ff1c9f0b794a28866c2c40 Mon Sep 17 00:00:00 2001 From: tianzhou Date: Thu, 25 Jun 2026 03:07:22 -0700 Subject: [PATCH] feat: warn on startup when auth is enabled but no IAM rules exist MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit IAM is now opt-in — with no [[iam]] rules, every authenticated principal has full access. Emit a startup warning so an empty IAM section isn't a silent misconfiguration. Co-Authored-By: Claude Opus 4.8 (1M context) --- server/index.ts | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/server/index.ts b/server/index.ts index 2c1a731..240c31b 100644 --- a/server/index.ts +++ b/server/index.ts @@ -4,7 +4,7 @@ import cookieParser from 'cookie-parser' import { authRouter } from './auth-routes' import { connectRouter } from './connect' import { mcpRouter, MCP_PATH } from './mcp' -import { loadConfig, loadConfigFromString, loadDemoConfig, isDemoMode, getBanner, getBranding, getExternalUrl, getAgents } from './lib/config' +import { loadConfig, loadConfigFromString, loadDemoConfig, isDemoMode, getBanner, getBranding, getExternalUrl, getAgents, isAuthEnabled, getIAMRules } from './lib/config' import { startDemoDatabase, stopDemoDatabase } from './lib/demo' import { testAllConnections } from './lib/test-connections' @@ -92,6 +92,14 @@ async function start() { console.log(`✓ Demo database started on port ${demoPort}`) } + // IAM is opt-in: with no [[iam]] rules, every authenticated principal gets full + // access. Warn so an empty IAM section with auth enabled isn't a silent misconfig. + if (isAuthEnabled() && getIAMRules().length === 0) { + console.warn( + '⚠ Auth is enabled but no [[iam]] rules are configured — every authenticated user and agent has full access to all connections. Add [[iam]] rules to restrict access.', + ) + } + // Test all connections to populate cache try { await testAllConnections()