feat: add no-auth IAM regime as a drop-in replacement for iam-svc (#933)

Browse source

Adds `no-auth-svc`, a lightweight IAM service that permits all access
unconditionally — no database, no bootstrap, no signing keys.  Deploy
it in place of `iam-svc` for development, demos, and single-user
setups where authentication overhead is unwanted.

The gateway no longer hard-codes a 401 on missing credentials.
Instead it asks the IAM regime via a new `authenticate-anonymous`
operation whether token-free access is allowed.  This keeps the
gateway regime-agnostic: `iam-svc` rejects anonymous auth (preserving
existing security), while `no-auth-svc` grants it with a configurable
default user and workspace.

Includes a tech spec (docs/tech-specs/no-auth-regime.md) and tests
that pin the safety boundary — malformed tokens never fall through
to the anonymous path, and a contract test ensures the full iam-svc
always rejects `authenticate-anonymous`.

...

This commit is contained in:

cybermaggedon 2026-05-18 14:10:05 +01:00 • committed by GitHub

parent ab83c81d8a

commit da7d10e995

No known key found for this signature in database

GPG key ID: B5690EEEBB952194

16 changed files with 876 additions and 32 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download patch file Download diff file Expand all files Collapse all files

0

tests/unit/test_iam/__init__.py Normal file

Unescape Escape View file