improvements

Dockerfile

@@ -3,9 +3,7 @@ FROM rocker/r2u:24.04
 ENV DEBIAN_FRONTEND=noninteractive \
     TZ=Etc/UTC \
     PORT=7860 \
-    ASA_PROXY=socks5h://127.0.0.1:9050 \
-    TOR_CONTROL_PORT=9051 \
-    ASA_TOR_CONTROL_COOKIE=/tmp/tor/control.authcookie \
+    ASA_ENABLE_TOR=false \
     RETICULATE_MINICONDA_PATH=/opt/conda \
     RETICULATE_CONDA=/opt/conda/bin/conda \
     RETICULATE_PYTHON=/opt/conda/envs/asa_env/bin/python \
@@ -41,6 +39,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     r-cran-jsonlite \
     r-cran-reticulate \
     r-cran-remotes \
+    r-cran-sodium \
     && rm -rf /var/lib/apt/lists/*
 
 ARG DOCKERFILE_REV=2026-03-10-openssl-hotfix-1
@@ -63,7 +62,7 @@ RUN echo "asa-api docker revision: ${DOCKERFILE_REV}"; \
     /opt/conda/bin/conda tos accept --override-channels --channel https://repo.anaconda.com/pkgs/r; \
     /opt/conda/bin/conda update -n base -c defaults conda
 
-RUN R -q -e "gate <- c('remotes','plumber','jsonlite','reticulate'); missing <- gate[!vapply(gate, function(p) requireNamespace(p, quietly = TRUE), logical(1))]; if (length(missing)) stop(sprintf('Binary package gate failed; missing: %s', paste(missing, collapse = ', ')), call. = FALSE); cat('Binary R package gate passed:', paste(gate, collapse = ', '), '\n'); cat('R library paths:', paste(.libPaths(), collapse = ' | '), '\n'); cat('plumber version:', as.character(packageVersion('plumber')), '\n')"
+RUN R -q -e "gate <- c('remotes','plumber','jsonlite','reticulate','sodium'); missing <- gate[!vapply(gate, function(p) requireNamespace(p, quietly = TRUE), logical(1))]; if (length(missing)) stop(sprintf('Binary package gate failed; missing: %s', paste(missing, collapse = ', ')), call. = FALSE); cat('Binary R package gate passed:', paste(gate, collapse = ', '), '\n'); cat('R library paths:', paste(.libPaths(), collapse = ' | '), '\n'); cat('plumber version:', as.character(packageVersion('plumber')), '\n')"
 
 ARG ASA_SOFTWARE_REPO=https://github.com/cjerzak/asa-software
 ARG ASA_SOFTWARE_REF=main
@@ -74,7 +73,7 @@ RUN git clone --depth 1 --branch "${ASA_SOFTWARE_REF}" "${ASA_SOFTWARE_REPO}" /o
     && R -q -e "asa::build_backend(conda_env='asa_env', python_version='3.12', force=FALSE, check_browser=FALSE, fix_browser=FALSE)" \
     && /opt/conda/bin/conda run -n asa_env python -c "import ssl, sys; print(sys.version); print(ssl.OPENSSL_VERSION)" \
     && R -q -e "reticulate::use_condaenv('asa_env', required = TRUE); cfg <- reticulate::py_config(); cat('reticulate py_config python:', cfg[['python']], '\n'); reticulate::py_run_string('import ssl, sys; print(sys.version); print(ssl.OPENSSL_VERSION)')" \
-    && R -q -e "gate <- c('asa','plumber','jsonlite','reticulate'); missing <- gate[!vapply(gate, function(p) requireNamespace(p, quietly = TRUE), logical(1))]; if (length(missing)) stop(sprintf('Post-asa gate failed; missing: %s', paste(missing, collapse = ', ')), call. = FALSE); cat('Post-asa package gate passed\n')" \
+    && R -q -e "gate <- c('asa','plumber','jsonlite','reticulate','sodium'); missing <- gate[!vapply(gate, function(p) requireNamespace(p, quietly = TRUE), logical(1))]; if (length(missing)) stop(sprintf('Post-asa gate failed; missing: %s', paste(missing, collapse = ', ')), call. = FALSE); cat('Post-asa package gate passed\n')" \
     && rm -rf /opt/asa-software/.git
 
 WORKDIR /app

R/asa_api_helpers.R

@@ -3,6 +3,7 @@
 }
 
 asa_api_default_backend <- "gemini"
+.asa_api_auth_cache <- new.env(parent = emptyenv())
 
 asa_api_to_bool <- function(value, default = FALSE) {
   if (is.null(value) || length(value) == 0L) {
@@ -260,6 +261,10 @@ asa_api_bootstrap <- function() {
   if (!requireNamespace("asa", quietly = TRUE)) {
     stop("Package `asa` is not installed in this environment.", call. = FALSE)
   }
+  if (!requireNamespace("sodium", quietly = TRUE)) {
+    stop("Package `sodium` is not installed in this environment.", call. = FALSE)
+  }
+  asa_api_refresh_auth_cache(force = TRUE)
   invisible(TRUE)
 }
 
@@ -282,8 +287,71 @@ asa_api_get_header <- function(req, key) {
   asa_api_scalar_chr(value, default = "")
 }
 
-asa_api_required_bearer_token <- function() {
-  "999"
+asa_api_clear_auth_cache <- function() {
+  cached_keys <- ls(envir = .asa_api_auth_cache, all.names = TRUE)
+  if (length(cached_keys)) {
+    rm(list = cached_keys, envir = .asa_api_auth_cache)
+  }
+
+  invisible(TRUE)
+}
+
+asa_api_secret_env_value <- function(name) {
+  trimws(Sys.getenv(asa_api_scalar_chr(name, default = ""), unset = ""))
+}
+
+asa_api_missing_auth_env_vars <- function() {
+  required <- c("ASA_API_BEARER_TOKEN", "GUI_PASSWORD")
+  required[!nzchar(vapply(required, asa_api_secret_env_value, character(1)))]
+}
+
+asa_api_refresh_auth_cache <- function(force = FALSE) {
+  cached_api_hash <- .asa_api_auth_cache$api_bearer_token_hash %||% ""
+  cached_gui_hash <- .asa_api_auth_cache$gui_password_hash %||% ""
+  if (!isTRUE(force) &&
+      is.character(cached_api_hash) && nzchar(cached_api_hash) &&
+      is.character(cached_gui_hash) && nzchar(cached_gui_hash)) {
+    return(invisible(TRUE))
+  }
+
+  missing_vars <- asa_api_missing_auth_env_vars()
+  if (length(missing_vars)) {
+    asa_api_clear_auth_cache()
+    stop(
+      sprintf(
+        "Missing required authentication environment variable(s): %s.",
+        paste(sprintf("`%s`", missing_vars), collapse = ", ")
+      ),
+      call. = FALSE
+    )
+  }
+
+  .asa_api_auth_cache$api_bearer_token_hash <- sodium::password_store(
+    asa_api_secret_env_value("ASA_API_BEARER_TOKEN")
+  )
+  .asa_api_auth_cache$gui_password_hash <- sodium::password_store(
+    asa_api_secret_env_value("GUI_PASSWORD")
+  )
+
+  invisible(TRUE)
+}
+
+asa_api_verify_secret <- function(candidate, cache_key) {
+  supplied <- asa_api_scalar_chr(candidate, default = "")
+  if (!nzchar(supplied)) {
+    return(FALSE)
+  }
+
+  tryCatch(
+    {
+      asa_api_refresh_auth_cache()
+      stored_hash <- .asa_api_auth_cache[[asa_api_scalar_chr(cache_key, default = "")]] %||% ""
+      is.character(stored_hash) &&
+        nzchar(stored_hash) &&
+        isTRUE(sodium::password_verify(stored_hash, supplied))
+    },
+    error = function(e) FALSE
+  )
 }
 
 asa_api_path_requires_bearer_auth <- function(path) {
@@ -301,12 +369,16 @@ asa_api_extract_bearer_token <- function(req) {
 }
 
 asa_api_has_required_bearer_token <- function(req) {
-  identical(
+  asa_api_verify_secret(
     asa_api_extract_bearer_token(req),
-    asa_api_required_bearer_token()
+    "api_bearer_token_hash"
   )
 }
 
+asa_api_has_required_gui_password <- function(password) {
+  asa_api_verify_secret(password, "gui_password_hash")
+}
+
 asa_api_require_prompt <- function(payload) {
   prompt <- asa_api_scalar_chr(payload$prompt, default = "")
   if (!nzchar(trimws(prompt))) {

R/plumber.R

@@ -76,8 +76,12 @@ function(req, res) {
     return(plumber::forward())
   }
 
+  if (is.character(.asa_api_boot_error) && nzchar(trimws(.asa_api_boot_error))) {
+    return(asa_api_error_payload(res, 503L, "Service unavailable."))
+  }
+
   if (!asa_api_has_required_bearer_token(req)) {
-    return(asa_api_error_payload(res, 401L, "Unauthorized: submit Authorization: Bearer 999."))
+    return(asa_api_error_payload(res, 401L, "Unauthorized."))
   }
 
   plumber::forward()
@@ -105,7 +109,7 @@ function() {
 #* @serializer unboxedJSON
 function(req, res) {
   if (is.character(.asa_api_boot_error) && nzchar(trimws(.asa_api_boot_error))) {
-    return(asa_api_error_payload(res, 503L, .asa_api_boot_error))
+    return(asa_api_error_payload(res, 503L, "Service unavailable."))
   }
 
   parse_error <- NULL
@@ -134,7 +138,7 @@ function(req, res) {
 #* @serializer unboxedJSON
 function(req, res) {
   if (is.character(.asa_api_boot_error) && nzchar(trimws(.asa_api_boot_error))) {
-    return(asa_api_error_payload(res, 503L, .asa_api_boot_error))
+    return(asa_api_error_payload(res, 503L, "Service unavailable."))
   }
 
   parse_error <- NULL
@@ -163,7 +167,7 @@ function(req, res) {
 #* @serializer unboxedJSON
 function(req, res) {
   if (is.character(.asa_api_boot_error) && nzchar(trimws(.asa_api_boot_error))) {
-    return(asa_api_error_payload(res, 503L, .asa_api_boot_error))
+    return(asa_api_error_payload(res, 503L, "Service unavailable."))
   }
 
   parse_error <- NULL
@@ -178,10 +182,8 @@ function(req, res) {
     return(asa_api_error_payload(res, 400L, parse_error))
   }
 
-  gui_password <- trimws(Sys.getenv("GUI_PASSWORD", unset = "XXX"))
-  supplied_password <- asa_api_scalar_chr(payload$password, default = "")
-  if (!identical(supplied_password, gui_password)) {
-    return(asa_api_error_payload(res, 401L, "Unauthorized: invalid GUI password."))
+  if (!asa_api_has_required_gui_password(payload$password)) {
+    return(asa_api_error_payload(res, 401L, "Unauthorized."))
   }
 
   payload$include_raw_output <- FALSE

README.md

@@ -29,14 +29,16 @@ It uses:
 ## Security Model
 
 - API bearer auth is required for `/v1/*`:
-  - Include `Authorization: Bearer 999`
+  - Include `Authorization: Bearer $ASA_API_BEARER_TOKEN`
 - GUI auth is password-based:
-  - `/gui/query` checks `GUI_PASSWORD` 
+  - `/gui/query` verifies the submitted password against an in-memory hash derived from `GUI_PASSWORD`
+- The service fails closed if either auth secret env var is missing or blank.
 
 ## Required Environment Variables
 
 Set these when running the container:
 
+- `ASA_API_BEARER_TOKEN`
 - `GOOGLE_API_KEY` (or the provider key you use)
 - `GUI_PASSWORD`
 
@@ -45,6 +47,7 @@ Optional secrets / vars:
 - `ASA_DEFAULT_BACKEND` (defaults to `gemini` if unset; examples: `openai`, `groq`, `anthropic`, `gemini`, `openrouter`)
 - `ASA_DEFAULT_MODEL` (example: `gemini-2.5-flash`)
 - `ASA_CONDA_ENV` (default: `asa_env`)
+- `ASA_ENABLE_TOR` (default: `false`; set to `true` to route ASA search/web traffic through the bundled local Tor proxy)
 - `ASA_USE_BROWSER_DEFAULT` (default: `false`, recommended for container stability)
 - `CORS_ALLOW_ORIGIN` (default: `*`)
 
@@ -70,7 +73,7 @@ curl -s http://localhost:7860/healthz
 ```bash
 curl -s http://localhost:7860/v1/run \
   -H "Content-Type: application/json" \
-  -H "Authorization: Bearer 999" \
+  -H "Authorization: Bearer ${ASA_API_BEARER_TOKEN}" \
   -d '{
     "prompt": "What is the population of Tokyo?",
     "config": {
@@ -88,7 +91,7 @@ curl -s http://localhost:7860/v1/run \
 
 ```bash
 curl -s http://localhost:7860/v1/run \
-  -H "Authorization: Bearer 999" \
+  -H "Authorization: Bearer ${ASA_API_BEARER_TOKEN}" \
   -H "Content-Type: application/json" \
   -d '{
     "prompt": "Find Marie Curie birth year and nationality. Return JSON.",
@@ -102,7 +105,7 @@ curl -s http://localhost:7860/v1/run \
 
 ```bash
 curl -s http://localhost:7860/v1/batch \
-  -H "Authorization: Bearer 999" \
+  -H "Authorization: Bearer ${ASA_API_BEARER_TOKEN}" \
   -H "Content-Type: application/json" \
   -d '{
     "prompts": [
@@ -188,7 +191,7 @@ R dependency strategy in this image:
 - This avoids source-compile failures such as `sodium` -> `plumber` install breaks.
 - The Docker build pre-creates `asa_env` with pinned `python=3.12.3` and `openssl=3.0.13` before calling `asa::build_backend()`, reducing rebuild drift that can break `reticulate` SSL imports on Ubuntu 24.04 / Hugging Face rebuilds.
 - Runtime linker guardrails are set so `reticulate` prefers conda environment libraries (`/opt/conda/envs/asa_env/lib` and `/opt/conda/lib`) to avoid C++ ABI loader mismatches.
-- Tor is installed in the image and started before the API. If Tor does not become ready, the container exits instead of serving direct search traffic.
+- Tor is installed in the image and remains available for opt-in startup through `ASA_ENABLE_TOR=true`.
 
 Build args:
 
@@ -207,8 +210,9 @@ Local run:
 
 ```bash
 docker run --rm -p 7860:7860 \
+  -e ASA_API_BEARER_TOKEN=your-api-bearer-token \
   -e GOOGLE_API_KEY=... \
-  -e GUI_PASSWORD=XXX \
+  -e GUI_PASSWORD=your-gui-password \
   asa-api
 ```
 
@@ -216,9 +220,22 @@ Then open:
 - `http://localhost:7860/healthz`
 - `http://localhost:7860/`
 
-## Tor Deployment Defaults
+Tor stays off in that default run. To opt in later:
 
-The container deploys Tor locally and exports these runtime defaults before starting `plumber`:
+```bash
+docker run --rm -p 7860:7860 \
+  -e ASA_API_BEARER_TOKEN=your-api-bearer-token \
+  -e GOOGLE_API_KEY=... \
+  -e GUI_PASSWORD=your-gui-password \
+  -e ASA_ENABLE_TOR=true \
+  asa-api
+```
+
+## Tor Integration
+
+The image still includes Tor and the Tor entrypoint integration, but `asa-api` does not activate it unless `ASA_ENABLE_TOR=true`.
+
+When Tor is enabled, the container deploys Tor locally and exports these runtime defaults before starting `plumber`:
 
 - `ASA_PROXY=socks5h://127.0.0.1:9050`
 - `TOR_CONTROL_PORT=9051`
@@ -230,11 +247,13 @@ Tor scope is intentionally limited:
 - LLM provider API traffic remains direct, matching upstream `asa` behavior.
 - Browser/Selenium search remains disabled by default.
 
-Startup behavior is fail-closed:
+Startup behavior when `ASA_ENABLE_TOR=true` is fail-closed:
 
 - Tor must answer a probe to `https://check.torproject.org/api/ip` with `IsTor=true`.
 - If the SOCKS proxy, ControlPort, or cookie setup never becomes ready, the container exits non-zero.
 
+When `ASA_ENABLE_TOR=false`, the startup script skips Tor bootstrap and clears Tor proxy env vars before launching the API, so the agent pipeline runs direct.
+
 `GET /healthz` now includes Tor readiness fields:
 
 - `tor_enabled`
@@ -246,6 +265,7 @@ Startup behavior is fail-closed:
 
 You can override the local proxy defaults if needed:
 
+- `ASA_ENABLE_TOR`
 - `ASA_PROXY`
 - `TOR_CONTROL_PORT`
 - `ASA_TOR_CONTROL_COOKIE`

Tests/api_contract_smoke.R

@@ -2,6 +2,36 @@ suppressPackageStartupMessages({
   library(asa)
 })
 
+auth_fixture <- c(
+  ASA_API_BEARER_TOKEN = "test-bearer-secret",
+  GUI_PASSWORD = "test-gui-secret"
+)
+tor_fixture_names <- c(
+  "ASA_ENABLE_TOR",
+  "ASA_PROXY",
+  "TOR_CONTROL_PORT",
+  "ASA_TOR_CONTROL_COOKIE"
+)
+managed_env_names <- c(names(auth_fixture), tor_fixture_names)
+previous_managed_env <- Sys.getenv(managed_env_names, unset = NA_character_)
+restore_managed_env <- function() {
+  for (name in names(previous_managed_env)) {
+    value <- previous_managed_env[[name]]
+    if (is.na(value)) {
+      Sys.unsetenv(name)
+    } else {
+      do.call(Sys.setenv, stats::setNames(list(value), name))
+    }
+  }
+}
+on.exit({
+  restore_managed_env()
+  if (exists("asa_api_clear_auth_cache", mode = "function")) {
+    asa_api_clear_auth_cache()
+  }
+}, add = TRUE)
+do.call(Sys.setenv, as.list(auth_fixture))
+
 args <- commandArgs(trailingOnly = FALSE)
 file_arg <- "--file="
 script_arg <- args[grepl(paste0("^", file_arg), args)]
@@ -13,6 +43,7 @@ script_path <- if (length(script_arg)) {
 
 repo_root <- normalizePath(file.path(dirname(script_path), ".."), mustWork = TRUE)
 source(file.path(repo_root, "R", "asa_api_helpers.R"))
+asa_api_refresh_auth_cache(force = TRUE)
 
 assert_true <- function(condition, message) {
   if (!isTRUE(condition)) {
@@ -136,13 +167,19 @@ assert_true(
   "Health and GUI routes should remain outside bearer auth scope."
 )
 assert_true(
-  identical(asa_api_required_bearer_token(), "999"),
-  "Bearer auth should require the fixed token 999."
+  identical(asa_api_missing_auth_env_vars(), character(0)),
+  "Auth bootstrap should require explicit bearer-token and GUI-password env vars."
+)
+assert_true(
+  is.character(.asa_api_auth_cache$api_bearer_token_hash) &&
+    nzchar(.asa_api_auth_cache$api_bearer_token_hash) &&
+    !identical(.asa_api_auth_cache$api_bearer_token_hash, auth_fixture[["ASA_API_BEARER_TOKEN"]]),
+  "Bearer auth should store a derived hash rather than the raw bearer token."
 )
 assert_true(
   identical(
-    asa_api_extract_bearer_token(mock_request(authorization = "Bearer 999")),
-    "999"
+    asa_api_extract_bearer_token(mock_request(authorization = sprintf("Bearer %s", auth_fixture[["ASA_API_BEARER_TOKEN"]]))),
+    auth_fixture[["ASA_API_BEARER_TOKEN"]]
   ),
   "Bearer extraction should accept the required token."
 )
@@ -150,31 +187,58 @@ assert_true(
   identical(
     asa_api_extract_bearer_token(list(
       PATH_INFO = "/v1/run",
-      HEADERS = list(Authorization = "Bearer 999")
+      HEADERS = list(Authorization = sprintf("Bearer %s", auth_fixture[["ASA_API_BEARER_TOKEN"]]))
     )),
-    "999"
+    auth_fixture[["ASA_API_BEARER_TOKEN"]]
   ),
   "Bearer extraction should match Authorization headers case-insensitively."
 )
 assert_true(
   identical(
-    asa_api_extract_bearer_token(mock_request(authorization = "Basic 999")),
+    asa_api_extract_bearer_token(mock_request(authorization = sprintf("Basic %s", auth_fixture[["ASA_API_BEARER_TOKEN"]]))),
     ""
   ),
   "Non-bearer Authorization schemes should not be accepted."
 )
 assert_true(
-  isTRUE(asa_api_has_required_bearer_token(mock_request(authorization = "Bearer 999"))),
-  "Bearer auth should accept Authorization: Bearer 999."
+  isTRUE(asa_api_has_required_bearer_token(mock_request(
+    authorization = sprintf("Bearer %s", auth_fixture[["ASA_API_BEARER_TOKEN"]])
+  ))),
+  "Bearer auth should accept the configured Authorization header."
 )
 assert_true(
   !isTRUE(asa_api_has_required_bearer_token(mock_request(authorization = "Bearer wrong"))),
   "Bearer auth should reject the wrong token."
 )
 assert_true(
-  !isTRUE(asa_api_has_required_bearer_token(mock_request(x_api_key = "999"))),
+  !isTRUE(asa_api_has_required_bearer_token(mock_request(x_api_key = auth_fixture[["ASA_API_BEARER_TOKEN"]]))),
   "Legacy x-api-key auth should no longer be accepted."
 )
+assert_true(
+  isTRUE(asa_api_has_required_gui_password(auth_fixture[["GUI_PASSWORD"]])),
+  "GUI auth should accept the configured password."
+)
+assert_true(
+  !isTRUE(asa_api_has_required_gui_password("wrong-password")),
+  "GUI auth should reject the wrong password."
+)
+
+asa_api_clear_auth_cache()
+Sys.unsetenv("ASA_API_BEARER_TOKEN")
+expect_error_contains(
+  asa_api_refresh_auth_cache(force = TRUE),
+  "ASA_API_BEARER_TOKEN"
+)
+do.call(Sys.setenv, stats::setNames(list(auth_fixture[["ASA_API_BEARER_TOKEN"]]), "ASA_API_BEARER_TOKEN"))
+
+asa_api_clear_auth_cache()
+Sys.unsetenv("GUI_PASSWORD")
+expect_error_contains(
+  asa_api_refresh_auth_cache(force = TRUE),
+  "GUI_PASSWORD"
+)
+do.call(Sys.setenv, stats::setNames(list(auth_fixture[["GUI_PASSWORD"]]), "GUI_PASSWORD"))
+asa_api_refresh_auth_cache(force = TRUE)
 
 health_payload <- asa_api_health_payload()
 assert_true(
@@ -193,6 +257,26 @@ if (isTRUE(health_payload$direct_provider_available)) {
   )
 }
 
+Sys.unsetenv(tor_fixture_names)
+tor_health_disabled <- asa_api_tor_health()
+assert_true(
+  identical(tor_health_disabled$tor_enabled, FALSE) &&
+    identical(tor_health_disabled$tor_ready, FALSE),
+  "Tor health should report disabled when the proxy env vars are absent."
+)
+assert_true(
+  is.null(tor_health_disabled$tor_proxy) &&
+    is.null(tor_health_disabled$tor_control_port),
+  "Tor health should omit proxy details when Tor is disabled."
+)
+health_without_tor <- asa_api_health_payload()
+assert_true(
+  identical(health_without_tor$status, "ok"),
+  "Service health should remain ok when Tor is intentionally disabled."
+)
+do.call(Sys.setenv, as.list(auth_fixture))
+asa_api_refresh_auth_cache(force = TRUE)
+
 {
   original_asa <- asa_api_run_single_via_asa
   original_direct <- asa_api_run_single_via_direct

Tests/example_API_call.R

@@ -3,11 +3,15 @@ library(httr2)
 library(jsonlite)
 
 base_url <- "http://localhost:7860"
+bearer_token <- trimws(Sys.getenv("ASA_API_BEARER_TOKEN", unset = ""))
+if (!nzchar(bearer_token)) {
+  stop("Set ASA_API_BEARER_TOKEN before running this example.", call. = FALSE)
+}
 
 resp <- request(paste0(base_url, "/v1/run")) |>
   req_headers(
     `Content-Type` = "application/json",
-    Authorization = "Bearer 999"
+    Authorization = sprintf("Bearer %s", bearer_token)
   ) |>
   req_body_json(list(prompt = "Return the single word OK."), auto_unbox = TRUE) |>
   req_perform()

Tests/startup_no_tor_smoke.sh

@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+repo_root="$(cd "${script_dir}/.." && pwd)"
+tmp_dir="$(mktemp -d)"
+stub_dir="${tmp_dir}/bin"
+env_capture="${tmp_dir}/env.txt"
+tor_called="${tmp_dir}/tor-called"
+
+cleanup() {
+  rm -rf "${tmp_dir}"
+}
+trap cleanup EXIT
+
+mkdir -p "${stub_dir}"
+
+cat > "${stub_dir}/tor" <<EOF
+#!/usr/bin/env bash
+echo called > "${tor_called}"
+exit 99
+EOF
+
+cat > "${stub_dir}/Rscript" <<EOF
+#!/usr/bin/env bash
+env | sort > "${env_capture}"
+exit 0
+EOF
+
+chmod +x "${stub_dir}/tor" "${stub_dir}/Rscript"
+
+(
+  cd "${repo_root}"
+  PATH="${stub_dir}:${PATH}" \
+    ASA_ENABLE_TOR=false \
+    ASA_PROXY=socks5h://127.0.0.1:9050 \
+    TOR_CONTROL_PORT=9051 \
+    ASA_TOR_CONTROL_COOKIE=/tmp/tor/control.authcookie \
+    PORT=8123 \
+    bash scripts/start-with-tor.sh
+)
+
+if [[ -f "${tor_called}" ]]; then
+  echo "Tor should not be invoked when ASA_ENABLE_TOR=false." >&2
+  exit 1
+fi
+
+if [[ ! -s "${env_capture}" ]]; then
+  echo "Rscript stub did not capture the environment." >&2
+  exit 1
+fi
+
+if grep -Eq '^(ASA_PROXY|TOR_CONTROL_PORT|ASA_TOR_CONTROL_COOKIE)=' "${env_capture}"; then
+  echo "Tor-related proxy environment variables should be cleared before starting the API." >&2
+  exit 1
+fi
+
+if ! grep -q '^ASA_ENABLE_TOR=false$' "${env_capture}"; then
+  echo "ASA_ENABLE_TOR should remain visible to the API process." >&2
+  exit 1
+fi
+
+if ! grep -q '^PORT=8123$' "${env_capture}"; then
+  echo "Expected the API process to receive the configured PORT." >&2
+  exit 1
+fi
+
+echo "startup_no_tor_smoke passed"

scripts/start-with-tor.sh

@@ -5,6 +5,28 @@ log() {
   printf '[asa-api] %s\n' "$*" >&2
 }
 
+run_api() {
+  log "Starting API on port ${PORT:-7860}"
+  exec Rscript -e 'pr <- plumber::plumb("R/plumber.R"); pr$run(host = "0.0.0.0", port = as.integer(Sys.getenv("PORT", "7860")))'
+}
+
+enable_tor="${ASA_ENABLE_TOR:-false}"
+enable_tor="$(printf '%s' "${enable_tor}" | tr '[:upper:]' '[:lower:]')"
+
+case "${enable_tor}" in
+  1|true|t|yes|y|on)
+    ;;
+  0|false|f|no|n|off|'')
+    log "Tor integration disabled for this run; clearing proxy environment"
+    unset ASA_PROXY TOR_CONTROL_PORT ASA_TOR_CONTROL_COOKIE
+    run_api
+    ;;
+  *)
+    log "ASA_ENABLE_TOR must be a boolean value. Got: ${ASA_ENABLE_TOR:-}"
+    exit 1
+    ;;
+esac
+
 proxy_url="${ASA_PROXY:-socks5h://127.0.0.1:9050}"
 proxy_without_scheme="${proxy_url#*://}"
 proxy_host_port="${proxy_without_scheme%%/*}"
@@ -118,5 +140,5 @@ export ASA_PROXY="${proxy_url}"
 export TOR_CONTROL_PORT="${control_port}"
 export ASA_TOR_CONTROL_COOKIE="${tor_cookie_path}"
 
-log "Tor ready; starting API on port ${PORT:-7860}"
-exec Rscript -e 'pr <- plumber::plumb("R/plumber.R"); pr$run(host = "0.0.0.0", port = as.integer(Sys.getenv("PORT", "7860")))'
+log "Tor ready; routing agent traffic through ${proxy_url}"
+run_api