From ec24483eb31bf6d721fca3d674781166485ebc28 Mon Sep 17 00:00:00 2001 From: Daniel Bedeleanu Date: Thu, 23 Apr 2026 10:10:12 +0300 Subject: [PATCH] security: add mandatory authentication policy - never disable auth Auth must ALWAYS be enabled in all environments. Added comprehensive rule: - NO auth bypass, debug mode, or dev-only disabling - NO hardcoded credentials or weak defaults - EVERY API endpoint requires JWT token - Password hashing via passlib pbkdf2_sha256 - Debug strategy for auth breakages (never skip auth) This ensures security is non-negotiable across all deployments. --- AI_RULES.md | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/AI_RULES.md b/AI_RULES.md index 2e8db243..2241c59c 100644 --- a/AI_RULES.md +++ b/AI_RULES.md @@ -41,7 +41,26 @@ This is the **Single Source of Truth** for ALL AI agents. Refer to [PROJECT_ARCH - **Triple Confirmation**: Deleting critical entities (Locations/Items) requires user confirmation 3 times. - **Native Alerts**: Use `window.confirm` for all destructive UI actions and Logout. -## 5. AI COMMAND SHORTCUTS +## 5. MANDATORY AUTHENTICATION SECURITY POLICY + +**CRITICAL**: Authentication is NEVER disabled. Not in development, not in production, not in any environment. + +- **NO AUTH BYPASS**: Never implement auth bypass, debug mode to skip auth, or dev-only auth disabling. +- **NO HARDCODED CREDENTIALS**: Credentials must be initialized through proper database migrations or admin setup scripts. +- **NO WEAK DEFAULTS**: No default usernames like "admin/admin" in production deployments. +- **LOGIN ALWAYS REQUIRED**: Every API endpoint must require valid JWT token via `auth.get_current_user`. +- **CREDENTIAL MANAGEMENT**: Use proper password hashing (passlib with pbkdf2_sha256), never plain text. +- **IF AUTH BREAKS**: Debug by: + 1. Verifying database contains users + 2. Testing password hashing in isolation + 3. Checking session/transaction isolation + 4. Reviewing logs for SQL errors + 5. **NEVER skip authentication** - always fix the root cause +- **DOCUMENTATION**: Auth configuration must be clearly documented in `STANDALONE_DEPLOYMENT.md` with proper setup steps. + +This rule supersedes any convenience or testing shortcuts. Security is non-negotiable. + +## 6. AI COMMAND SHORTCUTS - **`save-version`**: 0. **MANDATORY**: Verify and update ALL documentation (`.md` files: README, USER_GUIDE, ARCHITECTURE, etc.) with explanations of all current changes. 1. Increment `VERSION.json`.