Skip to content

fix: security hardening + bearer token auth for SDK#1

Merged
0xSolace merged 6 commits intodevelopfrom
fix/security-hardening
Mar 22, 2026
Merged

fix: security hardening + bearer token auth for SDK#1
0xSolace merged 6 commits intodevelopfrom
fix/security-hardening

Conversation

@0xSolace
Copy link
Owner

@0xSolace 0xSolace commented Mar 22, 2026

Summary

Security hardening pass plus critical auth fix for the SDK client.

Security Fixes

  1. Separate JWT secret from master password — New STEWARD_JWT_SECRET env var. Falls back to master password with warning if not set.

  2. Bind to localhost by default — Steward now binds to 127.0.0.1 instead of 0.0.0.0. Configurable via STEWARD_BIND_HOST.

  3. Request body size limit — 1MB limit via Hono middleware to prevent memory exhaustion.

  4. Request correlation IDs — Every request gets a X-Request-Id UUID, returned in response headers and included in logs.

SDK Auth Fix (Critical)

  1. Bearer token auth for agent-scoped JWTsStewardClient now accepts a bearerToken config option that sends Authorization: Bearer <token> instead of X-Steward-Key. This enables agent containers to authenticate with their JWT tokens.

    Previously, the SDK only supported tenant API key auth (X-Steward-Key), but production agents use JWT tokens. This mismatch caused all containers to silently fall back to local signing.

Environment Variables

Variable Default Description
STEWARD_JWT_SECRET (master password) Separate secret for JWT signing
STEWARD_BIND_HOST 127.0.0.1 Bind address for the API server

Testing

  • 62 pass, 4 fail (pre-existing integration tests needing DATABASE_URL)
  • All vault, policy engine, and plugin tests pass

0xSolace added 6 commits March 22, 2026 10:56
@0xSolace
docs: add local agent integration plan (Track B)
bb3e815
@0xSolace
fix(security): separate JWT secret from master password
e6305e6
@0xSolace
fix(security): bind to localhost by default
c2d6560
@0xSolace
fix(security): add 1MB request body size limit
ae4e8b7
@0xSolace
feat(observability): add request correlation IDs
4ee5c9e
@0xSolace
feat(sdk): add bearerToken auth option for agent-scoped JWT authentic…
6da17d0 
…ation

When bearerToken is set in StewardClientConfig, the client sends
Authorization: Bearer <token> instead of X-Steward-Key. bearerToken
takes precedence when both are provided. This enables agent-scoped
JWT authentication used in production Steward deployments.
@vercel
Copy link

vercel bot commented Mar 22, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
steward-fi Error Error Mar 22, 2026 6:02pm

Request Review

@0xSolace 0xSolace merged commit 6da17d0 into develop Mar 22, 2026
5 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@0xSolace