Problem
GET /v1/deployments/{id}/events (SSE) has no in-application authentication. Anyone who knows (or guesses) a deployment UUID can subscribe to its live event stream.
Evidence
app/routes/v1/deployments/events.py — events_stream(...) depends only on _session; no token/session/authz dependency.
Impact (High)
Auth relies entirely on Kong, which is bypassed in dev / direct-IP / tailnet access (operational reality per deployment notes). The stream can carry deploy logs and any not-fully-redacted values.
Suggested fix
Add an in-app auth dependency to the SSE route (signed token / session check), independent of Kong, at minimum for non-Kong-fronted deployments. Cross-check the redaction _SCAN_FIELDS coverage while here.
Problem
GET /v1/deployments/{id}/events(SSE) has no in-application authentication. Anyone who knows (or guesses) a deployment UUID can subscribe to its live event stream.Evidence
app/routes/v1/deployments/events.py—events_stream(...)depends only on_session; no token/session/authz dependency.Impact (High)
Auth relies entirely on Kong, which is bypassed in dev / direct-IP / tailnet access (operational reality per deployment notes). The stream can carry deploy logs and any not-fully-redacted values.
Suggested fix
Add an in-app auth dependency to the SSE route (signed token / session check), independent of Kong, at minimum for non-Kong-fronted deployments. Cross-check the redaction
_SCAN_FIELDScoverage while here.