# `--insecure` (flag global, v2.14.0+)

Flag de override que desabilita TODAS as validacoes de seguranca do runner. Modelo "AS-IS / superforce". Use somente quando entender as consequencias.

# Quando o runner alerta voce

┌─────────────────────────────────────────────────────────────┐
│                                                             │
│   🚨 INSECURE MODE — ALL SECURITY GUARDS DISABLED 🚨        │
│                                                             │
│   Command: deploy app --insecure                            │
│                                                             │
│   You explicitly opted out of safety checks.                │
│   Risks accepted by --insecure include:                     │
│     • secrets stored in plaintext .env                      │
│     • credentials committed to git                          │
│     • no encryption at rest                                 │
│     • signed-release verification bypassed                  │
│                                                             │
│   Logged to /opt/runner/logs/insecure-events.jsonl          │
│                                                             │
└─────────────────────────────────────────────────────────────┘

Banner em stderr (stdout fica limpo pra --json). Sempre opt-in por invocacao — flag nao persiste no state.

# Aplicabilidade

Funciona com qualquer comando do runner:

runner add --repo X --branch main --insecure
runner deploy app --insecure
runner fetch --deploy --insecure
runner env set X --key Y --value Z --insecure
runner self-update --insecure   # (futuro: bypass signature check)

# O que e suprimido

Regra geral: qualquer trava de seguranca do runner consulta crate::insecure::is_insecure() antes de abortar. Se voce passa --insecure, a trava vira warning.

# Audit log

Todas as invocacoes com --insecure sao registradas em /opt/runner/logs/insecure-events.jsonl:

{
  "timestamp": "2026-05-05T18:42:00Z",
  "command": "add --repo X",
  "args": ["runner", "add", "--repo", "X", "--branch", "main", "--insecure"],
  "app": null,
  "suppressed_checks": ["all"],
  "hostname": "prod-srv-01",
  "user": "root"
}

Use pra auditar quem usou --insecure, quando e em que comando.

# Ver invocacoes recentes
tail -f /opt/runner/logs/insecure-events.jsonl | jq

# Contar uso por user
cat /opt/runner/logs/insecure-events.jsonl | jq -r .user | sort | uniq -c

# Quem rodou --insecure no ultimo dia?
cat /opt/runner/logs/insecure-events.jsonl | jq -r 'select(.timestamp > "'$(date -u -d '1 day ago' +%FT%TZ)'") | .user'

# Exemplo: secret-em-env-sem-ckey

# Cenario: app com `DB_PASSWORD` em `environment:` sem ckey

# .deploy.yml
environment:
  APP_ENV: production
  DB_PASSWORD: meu_segredo_123    # ← key sensitive, valor nao-vazio

runner add --repo user/app --branch main
# ERROR: secret_in_env_without_ckey: 'app' has secret-looking keys in environment: without a ckey:
#   - DB_PASSWORD
#
# Move them to secrets: in .deploy.yml (auto-encrypts with ckey),
# or configure a ckey: runner edit app --ckey ...
# To bypass (NOT RECOMMENDED), pass --insecure.

# Solucao 1 (recomendada): mover pra `secrets:`

environment:
  APP_ENV: production
secrets:
  DB_PASSWORD: meu_segredo_123    # auto-encripta com ckey

runner add --repo user/app --branch main --ckey

# Solucao 2: adicionar ckey

runner add --repo user/app --branch main --ckey
# (ou --ckey "minha-chave-literal")

# Solucao 3 (NAO RECOMENDADA): `--insecure`

runner add --repo user/app --branch main --insecure
# Banner INSECURE + audit log + procede com .env plaintext

# Quando faz sentido usar

# Veja Tambem

• Secrets e Encriptacao — modelo seguro com mkey + ckey
• Env Wizard — como classificar environment: vs secrets: no .deploy.yml
• runner edit — adicionar ckey numa app existente