From 0d3cfbe0f782fac34cd3f31ccfe7d42d2e93f806 Mon Sep 17 00:00:00 2001
From: "Rodrigo Rodriguez (Pragmatismo)" <me@rodrigorodriguez.com>
Date: Sat, 4 Apr 2026 08:25:43 -0300
Subject: [PATCH] fix: Replace Runtime::new().block_on() with thread::spawn in
 AuthConfig

- AuthConfig::from_env() was creating a new Runtime and calling block_on
  directly, causing panic when main tokio runtime is already active
- Now uses std::thread::spawn + new_current_thread().block_on() pattern
- Follows AGENTS.md pattern for async-from-sync bridges
---
 src/security/auth_api/config.rs | 47 +++++++++++++++++++--------------
 1 file changed, 27 insertions(+), 20 deletions(-)

diff --git a/src/security/auth_api/config.rs b/src/security/auth_api/config.rs
index 8c433256..0a7898c6 100644
--- a/src/security/auth_api/config.rs
+++ b/src/security/auth_api/config.rs
@@ -54,26 +54,33 @@ impl AuthConfig {
 
         if let Ok(secret) = std::env::var("VAULT_TOKEN") {
             if !secret.is_empty() {
-                let rt = tokio::runtime::Runtime::new().ok();
-                if let Some(rt) = rt {
-                    let sm = crate::core::shared::utils::get_secrets_manager_sync();
-                    if let Some(sm) = sm {
-                        if let Ok(secrets) =
-                            rt.block_on(sm.get_secret(crate::core::secrets::SecretPaths::JWT))
-                        {
-                            if let Some(s) = secrets.get("secret") {
-                                config.jwt_secret = Some(s.clone());
-                            }
-                            if let Some(r) = secrets.get("require_auth") {
-                                config.require_auth = r == "true" || r == "1";
-                            }
-                            if let Some(p) = secrets.get("anonymous_paths") {
-                                config.allow_anonymous_paths = p
-                                    .split(',')
-                                    .map(|s| s.trim().to_string())
-                                    .filter(|s| !s.is_empty())
-                                    .collect();
-                            }
+                let sm = crate::core::shared::utils::get_secrets_manager_sync();
+                if let Some(sm) = sm {
+                    let (tx, rx) = std::sync::mpsc::channel();
+                    std::thread::spawn(move || {
+                        let rt = tokio::runtime::Builder::new_current_thread()
+                            .enable_all()
+                            .build();
+                        let result = if let Ok(rt) = rt {
+                            rt.block_on(async { sm.get_secret(crate::core::secrets::SecretPaths::JWT).await })
+                        } else {
+                            Err("Failed to create runtime".into())
+                        };
+                        let _ = tx.send(result);
+                    });
+                    if let Ok(Ok(secrets)) = rx.recv() {
+                        if let Some(s) = secrets.get("secret") {
+                            config.jwt_secret = Some(s.clone());
+                        }
+                        if let Some(r) = secrets.get("require_auth") {
+                            config.require_auth = r == "true" || r == "1";
+                        }
+                        if let Some(p) = secrets.get("anonymous_paths") {
+                            config.allow_anonymous_paths = p
+                                .split(',')
+                                .map(|s| s.trim().to_string())
+                                .filter(|s| !s.is_empty())
+                                .collect();
                         }
                     }
                 }