fix: enforce hooks token separation from gateway auth (#20813)

* fix(an-03): apply security fix Generated by staged fix workflow. * fix(an-03): apply security fix Generated by staged fix workflow. * fix(an-03): remove stale test-link artifact from patch Remove accidental a2ui test-link artifact from the tracked diff and keep startup auth enforcement centralized in startup-auth.ts.
2026-05-08 11:01:24 +00:00 · 2026-02-19 02:48:08 -08:00
parent 267bb3c81c
commit f7a7a28c56
4 changed files with 114 additions and 4 deletions
--- a/src/security/audit-extra.sync.ts
+++ b/src/security/audit-extra.sync.ts
@@ -441,7 +441,7 @@ export function collectHooksHardeningFindings(
  if (token && gatewayToken && token === gatewayToken) {
    findings.push({
      checkId: "hooks.token_reuse_gateway_token",
-      severity: "warn",
+      severity: "critical",
      title: "Hooks token reuses the Gateway token",
      detail:
        "hooks.token matches gateway.auth token; compromise of hooks expands blast radius to the Gateway API.",