Severity: LOW (premature) · Wave 4 — DEFERRED
Correction (2026-05-29): role-based authorization on stem is premature and should wait for multi-user support.
Why defer
- stem is single-user. Credentials come from env (
STEM_AUTH_USERNAME/STEM_AUTH_PASSWORD). There is exactly one principal — it is implicitly admin. Restricting "the only user" has no security value.
UserStore exists but is unused. internal/auth/userstore.go defines a role-aware UserStore interface ("ported from seed") with MemoryUserStore, but auth never calls it — login validates against the env hash directly.
- "role" already means operating mode in stem.
StemRole = reflector/test_master (RoleContext / RoleGuard / RoleChip across ~30 UI files). Adding user-permission "roles" now would collide with that established concept.
What to do instead
If multi-user lands later, the plan is:
- Add
Role/Permission to auth.Claims
- Wire
UserStore into login
requirePermission(min) middleware on destructive endpoints
- Backfill the env user to admin
No action now.
Severity: LOW (premature) · Wave 4 — DEFERRED
Correction (2026-05-29): role-based authorization on stem is premature and should wait for multi-user support.
Why defer
STEM_AUTH_USERNAME/STEM_AUTH_PASSWORD). There is exactly one principal — it is implicitly admin. Restricting "the only user" has no security value.UserStoreexists but is unused.internal/auth/userstore.godefines a role-awareUserStoreinterface ("ported from seed") withMemoryUserStore, but auth never calls it — login validates against the env hash directly.StemRole=reflector/test_master(RoleContext / RoleGuard / RoleChip across ~30 UI files). Adding user-permission "roles" now would collide with that established concept.What to do instead
permission/scope, notrole).If multi-user lands later, the plan is:
Role/Permissiontoauth.ClaimsUserStoreinto loginrequirePermission(min)middleware on destructive endpointsNo action now.