From 57ae179bbc2f6ce407cc758384a41528528c2fdf Mon Sep 17 00:00:00 2001
From: Nick Taylor <nick@nickyt.co>
Date: Fri, 13 Feb 2026 20:15:21 +0000
Subject: [PATCH] fix(gateway-cli): allow lan binding with trusted-proxy in CLI
 startup

There were TWO validations for lan binding without auth:
1. src/gateway/server-runtime-config.ts (FIXED in 563052d)
2. src/cli/gateway-cli/run.ts (THIS FIX)

The CLI startup validation was rejecting lan binding when using
trusted-proxy auth mode because it only checked for token/password.

This is the ACTUAL bug causing the crash loop - the CLI validation
runs before the runtime config validation, so it was failing first.

Fix: Add && resolvedAuthMode !== 'trusted-proxy' to the CLI check
on line 246, matching the fix in server-runtime-config.ts.
---
 src/cli/gateway-cli/run.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/cli/gateway-cli/run.ts b/src/cli/gateway-cli/run.ts
index 2845197efe5..6c0d2277f45 100644
--- a/src/cli/gateway-cli/run.ts
+++ b/src/cli/gateway-cli/run.ts
@@ -247,7 +247,7 @@ async function runGatewayCommand(opts: GatewayRunOpts) {
     defaultRuntime.exit(1);
     return;
   }
-  if (bind !== "loopback" && !hasSharedSecret) {
+  if (bind !== "loopback" && !hasSharedSecret && resolvedAuthMode !== "trusted-proxy") {
     defaultRuntime.error(
       [
         `Refusing to bind gateway to ${bind} without auth.`,