Skip to content

Add biometric auth guard for critical config changes#192

Merged
danieljustus merged 3 commits into
mainfrom
session/20260522-122313
May 22, 2026
Merged

Add biometric auth guard for critical config changes#192
danieljustus merged 3 commits into
mainfrom
session/20260522-122313

Conversation

@danieljustus
Copy link
Copy Markdown
Owner

@danieljustus danieljustus commented May 22, 2026
edited
Loading

Integrate Touch ID / Face ID verification before critical
configuration operations: agent tier upgrades and auth method
changes. On macOS, the system biometric dialog prompts before
applying the change. On platforms without biometric support,
automated use requires an explicit --no-biometric flag.

  • New internal/authguard package with Challenger API wrapping
    the existing BiometricAuthenticator for re-auth prompts
  • agent upgrade CLI: biometric challenge before tier changes;
    --no-biometric flag to bypass for automation
  • MCP set_auth_method: biometric challenge before changing
    auth method when Touch ID is available
  • Policy ActionRequireBiometry: wired into server dispatch
    so biometric-requiring rules trigger a real challenge
  • Tests: authguard unit tests covering availability,
    authentication failure, and critical tool detection

Closes #191

@danieljustus
Add biometric auth guard for critical config changes
16aeeb4 
Integrate Touch ID / Face ID verification before critical
configuration operations: agent tier upgrades and auth method
changes. On macOS, the system biometric dialog prompts before
applying the change. On platforms without biometric support,
automated use requires an explicit --no-biometric flag.

- New internal/authguard package with Challenger API wrapping
  the existing BiometricAuthenticator for re-auth prompts
- agent upgrade CLI: biometric challenge before tier changes;
  --no-biometric flag to bypass for automation
- MCP set_auth_method: biometric challenge before changing
  auth method when Touch ID is available
- Policy ActionRequireBiometry: wired into server dispatch
  so biometric-requiring rules trigger a real challenge
- Tests: authguard unit tests covering availability,
  authentication failure, and critical tool detection

Closes #191
@danieljustus danieljustus added this to the v4.0.1 milestone May 22, 2026
@danieljustus
Fix Go formatting in agent_upgrade and tools_test_helpers
65638f3 
Refs PR #192
@danieljustus
Fix lint issues: spelling, error format, unused param
11eb514 
- Fix misspelling of 'canceled' in authguard test
- Remove trailing punctuation from error messages
- Fix String() method doc comment
- Remove unused policyErr parameter from challengeBiometric

Refs PR #192
@danieljustus danieljustus marked this pull request as ready for review May 22, 2026 11:02
Copilot AI review requested due to automatic review settings May 22, 2026 11:02
@danieljustus danieljustus merged commit 5ac1854 into main May 22, 2026
19 of 20 checks passed
@danieljustus danieljustus deleted the session/20260522-122313 branch May 22, 2026 11:02
Copilot AI reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v4.0.1

Development

Successfully merging this pull request may close these issues.

Add biometric authentication guard for critical configuration changes

2 participants

@danieljustus