Bug: `requires_password: false` configuration fails validation

[Edison-A-N]

Bug Report: requires_password: false configuration fails validation

描述

When setting requires_password: false in network.yaml to allow passwordless connections, the network fails to start due to a validation error that requires all agent_groups to have a password_hash defined.

Expected Behavior

According to the documentation and design intent, when requires_password: false is set:

• Agents should be able to connect without providing a password
• They should be assigned to the default_agent_group
• The default_agent_group should not require a password_hash

Actual Behavior

Network fails to start with error:

Value error, Group 'public' must have 'password_hash' defined

Steps to Reproduce

1. Create a network.yaml with requires_password: false:

network:
  name: "test-network"
  requires_password: false
  default_agent_group: public
  agent_groups:
    public:
      description: "Public access - no password required"
      metadata:
        permissions: ["read", "write"]
    # other groups with passwords...

2. Run: openagents network start
3. Error: Validation fails

Root Cause

In src/openagents/models/network_config.py, the validate_agent_groups validator forces every group to have a password_hash, regardless of requires_password setting:

@field_validator("agent_groups")
def validate_agent_groups(cls, v):
    for group_name, group_config in v.items():
        if not group_config.password_hash:  # This check is too strict
            raise ValueError(f"Group '{group_name}' must have 'password_hash' defined")

Meanwhile, the design intent (shown in tests and topology code) supports passwordless mode when requires_password=False.

Workaround

Currently, passwordless mode only works when setting config.requires_password = False at runtime (after network initialization), not via YAML configuration.

Environment

• OpenAgents version: 0.8.5.post5
• Python: 3.13
• OS: Linux

Related Code

• Test: tests/network/test_agent_groups.py::test_requires_password_false_no_password
• Topology: src/openagents/core/topology.py (supports password_hash=None)
• Config: src/openagents/models/network_config.py (validation too strict)

Suggested Fix

Modify validate_agent_groups to allow password_hash=None for groups when the group doesn't require authentication, or remove the strict validation and let the topology layer handle password validation based on requires_password setting.

[linear]

OADEV-39

[Edison-A-N]

Analysis

The issue is that validate_agent_groups enforces password_hash for all groups unconditionally, ignoring the requires_password setting:

# Current: Always requires password_hash
for group_name, group_config in v.items():
    if not group_config.password_hash:
        raise ValueError(f"Group '{group_name}' must have 'password_hash' defined")

This causes:

• ✅ requires_password=True: All groups need passwords — correct
• ❌ requires_password=False: Should allow passwordless groups (especially default_agent_group) — fails incorrectly

Suggested Fix

Convert validate_agent_groups to a model_validator with conditional logic:

@model_validator(mode='after')
def validate_agent_groups_password_requirement(self):
    if not self.agent_groups:
        return self
    
    if self.requires_password:
        # Enforce password_hash for all groups
        for name, config in self.agent_groups.items():
            if not config.password_hash:
                raise ValueError(f"Group '{name}' must have 'password_hash' when requires_password=True")
    else:
        # default_agent_group must be accessible without password
        default = self.default_agent_group
        if default in self.agent_groups and self.agent_groups[default].password_hash:
            raise ValueError(f"default_agent_group '{default}' cannot require password when requires_password=False")
    
    return self

This properly handles both scenarios based on the requires_password configuration.