feat(security): warn on dangerous config flags at startup

2026-05-09 07:57:39 +00:00 · 2026-02-22 10:11:03 +01:00
parent de2e5c7b74
commit f101d59d57
4 changed files with 81 additions and 25 deletions
--- a/src/gateway/server-startup-log.test.ts
+++ b/src/gateway/server-startup-log.test.ts
@@ -0,0 +1,45 @@
+import { describe, expect, it, vi } from "vitest";
+import { logGatewayStartup } from "./server-startup-log.js";
+
+describe("gateway startup log", () => {
+  it("warns when dangerous config flags are enabled", () => {
+    const info = vi.fn();
+    const warn = vi.fn();
+
+    logGatewayStartup({
+      cfg: {
+        gateway: {
+          controlUi: {
+            dangerouslyDisableDeviceAuth: true,
+          },
+        },
+      },
+      bindHost: "127.0.0.1",
+      port: 18789,
+      log: { info, warn },
+      isNixMode: false,
+    });
+
+    expect(warn).toHaveBeenCalledTimes(1);
+    expect(warn).toHaveBeenCalledWith(expect.stringContaining("dangerous config flags enabled"));
+    expect(warn).toHaveBeenCalledWith(
+      expect.stringContaining("gateway.controlUi.dangerouslyDisableDeviceAuth=true"),
+    );
+    expect(warn).toHaveBeenCalledWith(expect.stringContaining("openclaw security audit"));
+  });
+
+  it("does not warn when dangerous config flags are disabled", () => {
+    const info = vi.fn();
+    const warn = vi.fn();
+
+    logGatewayStartup({
+      cfg: {},
+      bindHost: "127.0.0.1",
+      port: 18789,
+      log: { info, warn },
+      isNixMode: false,
+    });
+
+    expect(warn).not.toHaveBeenCalled();
+  });
+});