Harden Vast runtime with seeded auth login

[aytzey]

Motivation

• Vast.ai provisioning exposed the TRIBE API on a public host port and launched uvicorn bound to 0.0.0.0 without authentication, allowing unauthenticated access to /score and /health.
• The desktop client also did not attach any auth token for vast mode, so public instances could be abused remotely.

Description

• Require auth on provisioned Vast instances by injecting PITCHSERVER_AUTH_REQUIRED=1, PITCHSERVER_AUTH_SEED_USERNAME, PITCHSERVER_AUTH_SEED_PASSWORD, and PITCHSERVER_SESSION_TTL_SECONDS into the instance env during creation in src-tauri/src/lib.rs.
• Add vast_auth_credentials to derive a seeded username/password from configured RuntimeConfig or generate a time-based fallback password, and thread those credentials into create_vast_instance and wait_for_vast_runtime calls.
• After the Vast instance is healthy, perform a login (login_pitch_server) and return the resulting bearer token from the Vast connect flow; persist that token in app state via store_pitch_server_auth_token so the desktop can reuse it.
• Ensure desktop scoring requests attach bearer auth for vast mode as well (score_pitch now adds Authorization: Bearer <token> when status.mode == "vast").

Testing

• Ran cargo fmt --manifest-path src-tauri/Cargo.toml which completed successfully.
• Ran cargo check --manifest-path src-tauri/Cargo.toml which could not finish in this environment because the system glib-2.0 / pkg-config dependency is missing; the failure is an external system dependency, not a logical error in the changed code.

---

Codex Task

Summary by CodeRabbit

Release Notes

• New Features
  • Vast runtime provisioning now includes authentication token management for container connections
  • Bearer token authentication extended to support additional operational modes
  • Container startup configuration enhanced with authentication parameters and security settings

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6135bed9-5237-4963-ad8d-dc9c612aed2c

📥 Commits

Reviewing files that changed from the base of the PR and between 5d126a6 and 9332ee2.

📒 Files selected for processing (1)

• src-tauri/src/lib.rs

---

📝 Walkthrough

Walkthrough

The Vast runtime connection implementation has been enhanced to provision and manage PitchServer authentication tokens. Functions connect_vast, wait_for_vast_runtime, and connect_runtime are modified to accept credentials, return authentication tokens, and store tokens globally. Container startup now includes PitchServer authentication configuration. Scoring requests attach bearer authentication for both pitchserver and vast modes.

Changes

Cohort / File(s)	Summary
Vast Runtime Authentication src-tauri/src/lib.rs	Extended connect_vast and wait_for_vast_runtime to accept seeded auth credentials and return (RuntimeStatus, token). connect_runtime now stores tokens globally. Container env augmented with PITCHSERVER_AUTH_REQUIRED, auth file path, credentials, and session TTL. Scoring requests attach bearer auth for both pitchserver and vast modes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A token hops through vast domains,
Where Pitch and Auth now dance in chains,
Credentials sealed, permissions blessed,
The rabbit's network—now secured, impressed!
✨🔐

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/propose-fix-for-tribe-service-vulnerability

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}