diff --git a/internal/server/server.go b/internal/server/server.go index 6136fee..8cb4d05 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -649,14 +649,16 @@ func New(addr string, store Store, encKey []byte, notifier *notify.Notifier, ini mux.HandleFunc("DELETE /v1/vaults/{name}/services/{host}", s.requireInitialized(s.requireAuth(actorAuthed(s.handleServiceRemove)))) mux.HandleFunc("DELETE /v1/vaults/{name}/services", s.requireInitialized(s.requireAuth(actorAuthed(s.handleServicesClear)))) mux.HandleFunc("GET /v1/vaults/{name}/services/credential-usage", s.requireInitialized(s.requireAuth(actorAuthed(s.handleServicesCredentialUsage)))) - mux.HandleFunc("GET /v1/service-catalog", s.requireInitialized(ipAuth(s.handleServiceCatalog))) - mux.HandleFunc("GET /v1/skills/cli", s.requireInitialized(ipAuth(s.handleSkillCLI))) - mux.HandleFunc("GET /v1/skills/http", s.requireInitialized(ipAuth(s.handleSkillHTTP))) - - // Public: transparent-proxy root CA. Safe to expose; clients need it to - // trust the minted leaves. Not wrapped in requireInitialized — the CA - // lifecycle is tied to --mitm-port, not owner registration. - mux.HandleFunc("GET /v1/mitm/ca.pem", ipAuth(s.handleMITMCA)) + // Public static reads — immutable payloads with no credentials on + // the wire. TierGlobal is the only useful backstop; TierAuth would + // punish `vault run` (CA fetch per invocation) and the dashboard + // (re-mount poll) without defending any real surface. + mux.HandleFunc("GET /v1/service-catalog", s.requireInitialized(s.handleServiceCatalog)) + mux.HandleFunc("GET /v1/skills/cli", s.requireInitialized(s.handleSkillCLI)) + mux.HandleFunc("GET /v1/skills/http", s.requireInitialized(s.handleSkillHTTP)) + // CA PEM is not wrapped in requireInitialized — the CA lifecycle is + // tied to --mitm-port, not owner registration. + mux.HandleFunc("GET /v1/mitm/ca.pem", s.handleMITMCA) // Instance-level user invites mux.HandleFunc("POST /v1/users/invites", s.requireInitialized(s.requireAuth(actorAuthed(limitBody(s.handleUserInviteCreate)))))