The management/UI admin gate (#20) is fail-closed: THUMPER_ADMIN_TOKEN has no code default, so unset = API disabled (503).
But .env.example ships THUMPER_ADMIN_TOKEN=dev-admin-token, and config.insecure_default_tokens() only checks the enroll/install defaults — not admin. So a deploy that copies .env.example runs with a publicly-known admin token and no startup warning, silently re-opening the management API to anyone who knows the obvious value.
Fix
Recognize dev-admin-token as a known-insecure value in insecure_default_tokens() so it is flagged loudly at startup, exactly like the enroll/install dev defaults. Keep the fail-closed behavior (an unset token still disables the API — this is not a new code default).
The management/UI admin gate (#20) is fail-closed:
THUMPER_ADMIN_TOKENhas no code default, so unset = API disabled (503).But
.env.exampleshipsTHUMPER_ADMIN_TOKEN=dev-admin-token, andconfig.insecure_default_tokens()only checks the enroll/install defaults — not admin. So a deploy that copies.env.exampleruns with a publicly-known admin token and no startup warning, silently re-opening the management API to anyone who knows the obvious value.Fix
Recognize
dev-admin-tokenas a known-insecure value ininsecure_default_tokens()so it is flagged loudly at startup, exactly like the enroll/install dev defaults. Keep the fail-closed behavior (an unset token still disables the API — this is not a new code default).