Context
In PR #62, resolveGrpcSessionOwner maps a present-but-unrecognized x-abbenay-token to local (same as no token). That matches today's local-trust model for CLI/VS Code, but when consumers are configured it means a wrong token does not fail closed — it falls into the local session namespace.
Flagged during review of PR #62: #62
Proposal
When config.consumers is non-empty and a token is presented but matches no consumer, reject the session RPC (UNAUTHENTICATED) rather than treating the caller as local. Keep no-token → local for unix-socket / local CLI DX.
Coordinate with consumer auth on privileged RPCs (authorizeConsumer) so behavior is consistent.
Context
In PR #62,
resolveGrpcSessionOwnermaps a present-but-unrecognizedx-abbenay-tokentolocal(same as no token). That matches today's local-trust model for CLI/VS Code, but whenconsumersare configured it means a wrong token does not fail closed — it falls into the local session namespace.Flagged during review of PR #62: #62
Proposal
When
config.consumersis non-empty and a token is presented but matches no consumer, reject the session RPC (UNAUTHENTICATED) rather than treating the caller aslocal. Keep no-token →localfor unix-socket / local CLI DX.Coordinate with consumer auth on privileged RPCs (
authorizeConsumer) so behavior is consistent.