Fail closed: why misconfiguring Crowkis locks it instead of opening it
Most self-hosted breaches are defaults, not exploits. Crowkis inverts the failure direction: forget to configure auth and you get a locked deployment, not an open one.
Scan the history of self-hosted data exposure and a pattern dominates: not zero-days but defaults — dashboards bound to 0.0.0.0 with auth 'coming in the hardening sprint.' The software trusted the operator to finish configuring it; the operator trusted the software to be safe meanwhile. Both were wrong together.
Crowkis hard-codes the opposite assumption: the moment it detects a non-loopback bind, management and dashboard surfaces require authentication — no flag needed, no checklist item, enforced by the server itself. Forgetting to set CROWKIS_ADMIN_KEY on a public interface produces 401s, not an open control plane. The lazy path and the safe path are the same path.
One file to security-review. No supply chain to poison.
The escape hatch exists and is labeled like one: CROWKIS_ALLOW_UNAUTHENTICATED_ADMIN=1 is loud, explicit, and documented as local-experiments-only. Danger you must type deliberately is danger you can audit for; danger that arrives by omission is just a breach with a delay.
The bottom line
Defaults are destiny in deployed software. We chose defaults on the theory that the operator is busy, the checklist is long, and the internet is patient. All three are always true.