Umbrella: #396 (portal-boundary hardening). From the 2026-06-18 security audit, actions D (+ overlaps the safety-config write path).
Problem
POST /api/config writes raw ~/.agentwire/config.yaml. Anyone with the token can:
- set
auth_token: "" to disable auth entirely,
- rewrite
executables/services for persistent RCE,
- change
server.host.
And POST /api/safety/config can disable the rm-rf damage-control rules with the same token. One leaked secret defeats defense-in-depth.
Scope
- Make
auth_token, server.host, executables, and safety-disable host-file-edit-only — reject them in POST /api/config and POST /api/safety/config.
- Read-side redaction already exists (
server.py:3583) but is cosmetic; this closes the write path.
Verification
With a valid token, attempt to set auth_token: "", add an executables entry, and disable a safety rule via the API; confirm each is rejected (and still editable by hand on the host).
From #396 audit (action D). Highest-leverage hardening — stops the token from turning off its own protections.
Umbrella: #396 (portal-boundary hardening). From the 2026-06-18 security audit, actions D (+ overlaps the safety-config write path).
Problem
POST /api/configwrites raw~/.agentwire/config.yaml. Anyone with the token can:auth_token: ""to disable auth entirely,executables/servicesfor persistent RCE,server.host.And
POST /api/safety/configcan disable the rm-rf damage-control rules with the same token. One leaked secret defeats defense-in-depth.Scope
auth_token,server.host,executables, and safety-disable host-file-edit-only — reject them inPOST /api/configandPOST /api/safety/config.server.py:3583) but is cosmetic; this closes the write path.Verification
With a valid token, attempt to set
auth_token: "", add anexecutablesentry, and disable a safety rule via the API; confirm each is rejected (and still editable by hand on the host).From #396 audit (action D). Highest-leverage hardening — stops the token from turning off its own protections.