Skip to content

Track auth hardening for non-localhost deployments #2

Description

@vonargo

EAI currently binds to localhost by default and warns users before exposing the control plane or notebook to a LAN/Tailscale/trusted network. There is not yet an authentication layer.

This issue tracks future hardening so the public bundle does not imply that network exposure is safe by default.

Scope:
Keep localhost as the safe default.

Document risks of EAI_HOST=0.0.0.0 and EAI_NOTEBOOK_HOST=0.0.0.0.

Decide the minimum viable auth approach for early public use.

NOTE:
Avoid adding a large identity/security framework prematurely.

Done when:
Remote access has a bounded auth mechanism or a clearly documented “not supported yet” boundary.

README and .env.example accurately describe the exposure risk.

No unauthenticated Act-tier or governance mutation endpoints are casually exposed.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions