swallow/maestro
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

sync: update from private repo (0844939)
Some checks failed
CI / build-and-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
oss-sync 2026-06-16 03:35:01 +00:00
parent 00bf2ea16f
commit b411151bad
3 changed files with 37 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.dockerignore
View File

@ -14,8 +14,11 @@ ui/dist
vendor vendor
.env .env
.env.*
config.yaml config.yaml
data data
data/secrets
data/tls
input input
logs logs
output output

4
.gitignore vendored
View File

@ -4,6 +4,8 @@ __pycache__/
dist/ dist/
data/ data/
.env .env
.env.*
!.env.example
config.yaml config.yaml
.superpowers/ .superpowers/
*.db *.db
@ -15,7 +17,6 @@ logs/
.worktrees/ .worktrees/
.claude/ .claude/
.playwright-mcp/ .playwright-mcp/
.superpowers/
# Agent skill installs (modern-web-guidance etc. via `skills add`) — local tooling, # Agent skill installs (modern-web-guidance etc. via `skills add`) — local tooling,
# not project source. # not project source.
.agents/ .agents/
@ -23,7 +24,6 @@ skills-lock.json
orch.pid orch.pid
.server.pid .server.pid
src/generated/ src/generated/
.worktrees/
vendor/ vendor/
# Added by code-review-graph # Added by code-review-graph
.code-review-graph/ .code-review-graph/

32
SECURITY.md
View File

@ -24,3 +24,35 @@ it as a privileged service:
outside the repository and rotate them after suspected exposure. outside the repository and rotate them after suspected exposure.
- Restrict `/metrics` with a bearer token or an explicit source-IP allowlist. - Restrict `/metrics` with a bearer token or an explicit source-IP allowlist.
- Review enabled tools and integrations before granting access to untrusted users. - Review enabled tools and integrations before granting access to untrusted users.
## Secrets and Data
MAESTRO generates and stores several secrets. All of them live under the
runtime data directory and are created with restrictive permissions:
| Secret | Default location | Mode |
|--------|------------------|------|
| Master encryption key (envelope encryption for MCP/SSH credentials) | `data/secrets/master.key` | `0600` |
| MCP credential key | `data/secrets/mcp.key` | `0600` |
| Session secret (signs login cookies; auto-generated when `auth.session_secret` is unset) | `data/secrets/session-secret.key` | `0600` |
| Web Push (VAPID) keypair | `data/secrets/vapid.json` | `0600` |
| Self-signed TLS material | `data/tls/` | `0600` keys |
`config.yaml` may hold a provider `api_key`, so the setup tooling writes it
`0600`. These paths are excluded from version control (`.gitignore`) and from
the Docker build context (`.dockerignore`); never commit them or bake them into
an image.
Operational guidance:
- **Set a stable `auth.session_secret`** (or rely on the persisted
`data/secrets/session-secret.key`) so restarts don't invalidate sessions; in a
multi-node deployment, share the same secret across nodes.
- **The data directory is sensitive.** Back it up with the same care as a
password store; restrict filesystem access to the service user.
- **Core dumps are excluded** from the repository because they can contain the
decrypted master key, SSH private keys, and the session secret in process
memory. Keep them out of any artifact you share.
- **Rotate after suspected exposure** and review the audit log.
- Sensitive values are masked in the Settings UI and the config API responses;
do not paste unmasked secrets into issues or logs.