F2.F — --no-auth legacy mode + v0.8 / v0.9 deprecation plan

[HXYerror]

Part of #23. Depends on F2.B, F2.C.

Background

copilot-api today has no auth; flipping default-on in one release breaks every existing user. Per security S2, however, --no-auth default is risky — public-facing port + no auth = burned-Copilot-quota and possible account suspension.

⚠️ Open question (please decide before this issue is implemented)

Originally the architect recommended auth=off default in v0.8 to preserve compat. Security review (S2) pushed back: the README itself warns about GitHub abuse-detection. Two viable options:

Option A (compat-first):

• --no-auth default in v0.8, deprecation banner every startup
• Default flipped in v0.9
• Safer for existing single-tenant users

Option B (safety-first, recommended by security):

• auth=on default in v0.8 with auto-bootstrap (F2.B)
• --no-auth requires explicit --i-accept-account-suspension-risk flag
• Refuse --no-auth on non-loopback bind address unless ack flag set
• Existing users who run on localhost are unaffected; users who exposed the port now must opt-in

This issue assumes Option B — adjust if you pick Option A.

Goal

Safe migration from "no admin features" v0.7 → "fully admin'd" v0.8 with explicit opt-out for the legacy single-tenant pattern.

Tasks

• Add --no-auth and --i-accept-account-suspension-risk flags to start command in src/main.ts
• Default behavior: auto-bootstrap admin key (F2.B)
• If --no-auth and bind address is loopback (127.0.0.1, ::1, localhost): allow with yellow warning printed once
• If --no-auth and bind address is non-loopback: REFUSE to start unless --i-accept-account-suspension-risk is set; print red error pointing at the README abuse-detection section
• Startup banner includes auth_mode: on | off (loopback) | off (acknowledged risk)
• /admin status page shows the same
• Audit-log server.start_no_auth with bind address (per F2.D)
• README updates:
  • New "Admin Plane / Authentication" section
  • "Migrating from v0.7" section explaining the bootstrap key flow
  • Beef up the existing GitHub abuse-detection warning with a "DO NOT run --no-auth on a public port" notice
• CHANGELOG entry under "Breaking changes in v0.8"
• Telemetry: emit auth_mode metric to events table (or just log at boot)

Acceptance criteria

• Running copilot-api start --no-auth --port 4141 (defaults bind to 0.0.0.0 in current code) refuses without the ack flag
• Running on loopback succeeds with warning
• README has explicit warning + migration path
• Existing tests pass

File pointers

• Touch: src/main.ts, src/start.ts, README.md, CHANGELOG.md

Dependencies

Depends on F2.B, F2.C. Should land before any v0.8 release.

[HXYerror]

Decision update — 2026-05-09

Q1 resolved: the --i-accept-account-suspension-risk flag and public-IP guard described in the issue body are out of scope. Remove those tasks when implementing.

Instead, the issue scope narrows to:

• --no-auth default behavior (compat vs auth-on)
• Startup mode banner (auth on / auth off — no abuse language)
• First-run bootstrap flow (from F2.B F2.B — Keys table, sk-cap key generator, first-run admin bootstrap #28)
• README migration guide

Q2 resolved: the "recommend litellm for multi-tenant" suggestion is rejected — we are enriching copilot-api.