Release v0.51.547 — Release TF (re-auth before disabling password authentication)
Ships #3581 (starship-s). Maintainer-approved (in-scope operator-hardening per the concept rubric; visual + product sign-off given). Security-boundary guard, gated authoritative.
Added
- Re-enter your current password before turning off or clearing password authentication. A "sudo-mode" re-auth on
POST /api/settings(403 without the current password) for any change/clear/passwordless transition. First-time setup + env-var-locked instances unaffected. Adds an optional "I've reviewed this risk" acknowledgment that quiets the unauthenticated-instance nav warning. Guards against a hijacked/unattended session silently removing auth. Thanks @starship-s.
Gate
- Full pytest suite: 9879 passed, 0 failed (incl. the new 286-line
test_auth_settings_safety.pydriving real 403/409/200) - Codex: SAFE TO SHIP — single guarded password-hash writer, no bypass route, no fails-open
- Opus: SAFE — all three disable vectors covered (change/clear/passwordless), constant-time re-auth vs the current (cache-fresh) hash, correct skips (onboarding + env-lock 409), the acknowledgment flag is provably cosmetic, full DOM/i18n coverage, zero regression when auth off
- Visual sign-off: maintainer-approved (Settings → System auth panel + acknowledge-risk flow)