From b411151bad15cbd42e1302bf3296456caa35ded1 Mon Sep 17 00:00:00 2001 From: oss-sync Date: Tue, 16 Jun 2026 03:35:01 +0000 Subject: [PATCH] sync: update from private repo (0844939) --- .dockerignore | 3 +++ .gitignore | 4 ++-- SECURITY.md | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 37 insertions(+), 2 deletions(-) diff --git a/.dockerignore b/.dockerignore index 7afd3fb..e34bed7 100644 --- a/.dockerignore +++ b/.dockerignore @@ -14,8 +14,11 @@ ui/dist vendor .env +.env.* config.yaml data +data/secrets +data/tls input logs output diff --git a/.gitignore b/.gitignore index 793d266..a9b3a1d 100644 --- a/.gitignore +++ b/.gitignore @@ -4,6 +4,8 @@ __pycache__/ dist/ data/ .env +.env.* +!.env.example config.yaml .superpowers/ *.db @@ -15,7 +17,6 @@ logs/ .worktrees/ .claude/ .playwright-mcp/ -.superpowers/ # Agent skill installs (modern-web-guidance etc. via `skills add`) — local tooling, # not project source. .agents/ @@ -23,7 +24,6 @@ skills-lock.json orch.pid .server.pid src/generated/ -.worktrees/ vendor/ # Added by code-review-graph .code-review-graph/ diff --git a/SECURITY.md b/SECURITY.md index 27022a2..a2823e7 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -24,3 +24,35 @@ it as a privileged service: outside the repository and rotate them after suspected exposure. - Restrict `/metrics` with a bearer token or an explicit source-IP allowlist. - Review enabled tools and integrations before granting access to untrusted users. + +## Secrets and Data + +MAESTRO generates and stores several secrets. All of them live under the +runtime data directory and are created with restrictive permissions: + +| Secret | Default location | Mode | +|--------|------------------|------| +| Master encryption key (envelope encryption for MCP/SSH credentials) | `data/secrets/master.key` | `0600` | +| MCP credential key | `data/secrets/mcp.key` | `0600` | +| Session secret (signs login cookies; auto-generated when `auth.session_secret` is unset) | `data/secrets/session-secret.key` | `0600` | +| Web Push (VAPID) keypair | `data/secrets/vapid.json` | `0600` | +| Self-signed TLS material | `data/tls/` | `0600` keys | + +`config.yaml` may hold a provider `api_key`, so the setup tooling writes it +`0600`. These paths are excluded from version control (`.gitignore`) and from +the Docker build context (`.dockerignore`); never commit them or bake them into +an image. + +Operational guidance: + +- **Set a stable `auth.session_secret`** (or rely on the persisted + `data/secrets/session-secret.key`) so restarts don't invalidate sessions; in a + multi-node deployment, share the same secret across nodes. +- **The data directory is sensitive.** Back it up with the same care as a + password store; restrict filesystem access to the service user. +- **Core dumps are excluded** from the repository because they can contain the + decrypted master key, SSH private keys, and the session secret in process + memory. Keep them out of any artifact you share. +- **Rotate after suspected exposure** and review the audit log. +- Sensitive values are masked in the Settings UI and the config API responses; + do not paste unmasked secrets into issues or logs.