Motivation

• Vast.ai provisioning exposed the TRIBE API on a public host port and launched uvicorn bound to 0.0.0.0 without authentication, allowing unauthenticated access to /score and /health.
• The desktop client also did not attach any auth token for vast mode, so public instances could be abused remotely.

Description

• Require auth on provisioned Vast instances by injecting PITCHSERVER_AUTH_REQUIRED=1, PITCHSERVER_AUTH_SEED_USERNAME, PITCHSERVER_AUTH_SEED_PASSWORD, and PITCHSERVER_SESSION_TTL_SECONDS into the instance env during creation in src-tauri/src/lib.rs.
• Add vast_auth_credentials to derive a seeded username/password from configured RuntimeConfig or generate a time-based fallback password, and thread those credentials into create_vast_instance and wait_for_vast_runtime calls.
• After the Vast instance is healthy, perform a login (login_pitch_server) and return the resulting bearer token from the Vast connect flow; persist that token in app state via store_pitch_server_auth_token so the desktop can reuse it.
• Ensure desktop scoring requests attach bearer auth for vast mode as well (score_pitch now adds Authorization: Bearer <token> when status.mode == "vast").

Testing

• Ran cargo fmt --manifest-path src-tauri/Cargo.toml which completed successfully.
• Ran cargo check --manifest-path src-tauri/Cargo.toml which could not finish in this environment because the system glib-2.0 / pkg-config dependency is missing; the failure is an external system dependency, not a logical error in the changed code.

Codex Task

Summary by CodeRabbit

Release Notes

• New Features
  • Vast runtime provisioning now includes authentication token management for container connections
  • Bearer token authentication extended to support additional operational modes
  • Container startup configuration enhanced with authentication parameters and security settings