Skip to content

Secure runtime observability defaults#5

Closed
sylvesterdamgaard wants to merge 1 commit into
mainfrom
codex/secure-runtime-defaults
Closed

Secure runtime observability defaults#5
sylvesterdamgaard wants to merge 1 commit into
mainfrom
codex/secure-runtime-defaults

Conversation

@sylvesterdamgaard

@sylvesterdamgaard sylvesterdamgaard commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

What changed

  • Make TCP API, Prometheus metrics, and resource metrics opt-in by default.
  • Keep the existing API/metrics port defaults for configurations that explicitly enable them.
  • Run comprehensive validation during normal config loading so runtime catches the same blocking bounds errors as check-config.
  • Update global settings docs to describe TCP API as disabled by default while local Unix socket management remains available.

Why

The previous defaults opened management/metrics surfaces and started resource sampling unless users explicitly disabled them. That was surprising for production containers and did not match parts of the documentation.

Validation

  • git diff --check
  • go test ./internal/config ./cmd/cbox-init could not be run locally because go is not installed in this this environment.

@sylvesterdamgaard sylvesterdamgaard changed the title [codex] Secure runtime observability defaults Secure runtime observability defaults Jun 29, 2026
@sylvesterdamgaard sylvesterdamgaard deleted the codex/secure-runtime-defaults branch June 29, 2026 06:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant