Summary
The HTTP transport currently warns users to add their own auth via a reverse proxy. Bundle opt-in authentication options (token-based and mTLS) to make remote/tunnelled use safer out of the box.
Proposed Changes
Token-based auth (simpler)
# elesync.yml
http:
auth:
mode: token
token_env: ELESYNC_TOKEN # reads from env var
# Generate a token
ele auth generate-token
# Validate current token setup
ele auth status
Client usage:
Authorization: Bearer <token>
mTLS (advanced)
http:
auth:
mode: mtls
ca_cert: ~/.elesync/ca.crt
server_cert: ~/.elesync/server.crt
server_key: ~/.elesync/server.key
# Generate self-signed CA + server cert
ele auth setup-mtls
Behaviour
- Both modes are opt-in — default remains unauthenticated (localhost-only safe)
- Clear startup warning if HTTP transport is bound to non-loopback without auth enabled
- Auth errors return
401 Unauthorized with a helpful message
Acceptance Criteria
Summary
The HTTP transport currently warns users to add their own auth via a reverse proxy. Bundle opt-in authentication options (token-based and mTLS) to make remote/tunnelled use safer out of the box.
Proposed Changes
Token-based auth (simpler)
Client usage:
mTLS (advanced)
# Generate self-signed CA + server cert ele auth setup-mtlsBehaviour
401 Unauthorizedwith a helpful messageAcceptance Criteria
ele auth generate-tokenandele auth setup-mtlshelpers exist