sync: update from private repo (0844939)
Some checks failed
CI / build-and-test (push) Has been cancelled
Some checks failed
CI / build-and-test (push) Has been cancelled
This commit is contained in:
oss-sync
parent
00bf2ea16f
commit
b411151bad
@ -14,8 +14,11 @@ ui/dist
|
||||
vendor
|
||||
|
||||
.env
|
||||
.env.*
|
||||
config.yaml
|
||||
data
|
||||
data/secrets
|
||||
data/tls
|
||||
input
|
||||
logs
|
||||
output
|
||||
|
||||
4
.gitignore
vendored
4
.gitignore
vendored
@ -4,6 +4,8 @@ __pycache__/
|
||||
dist/
|
||||
data/
|
||||
.env
|
||||
.env.*
|
||||
!.env.example
|
||||
config.yaml
|
||||
.superpowers/
|
||||
*.db
|
||||
@ -15,7 +17,6 @@ logs/
|
||||
.worktrees/
|
||||
.claude/
|
||||
.playwright-mcp/
|
||||
.superpowers/
|
||||
# Agent skill installs (modern-web-guidance etc. via `skills add`) — local tooling,
|
||||
# not project source.
|
||||
.agents/
|
||||
@ -23,7 +24,6 @@ skills-lock.json
|
||||
orch.pid
|
||||
.server.pid
|
||||
src/generated/
|
||||
.worktrees/
|
||||
vendor/
|
||||
# Added by code-review-graph
|
||||
.code-review-graph/
|
||||
|
||||
32
SECURITY.md
32
SECURITY.md
@ -24,3 +24,35 @@ it as a privileged service:
|
||||
outside the repository and rotate them after suspected exposure.
|
||||
- Restrict `/metrics` with a bearer token or an explicit source-IP allowlist.
|
||||
- Review enabled tools and integrations before granting access to untrusted users.
|
||||
|
||||
## Secrets and Data
|
||||
|
||||
MAESTRO generates and stores several secrets. All of them live under the
|
||||
runtime data directory and are created with restrictive permissions:
|
||||
|
||||
| Secret | Default location | Mode |
|
||||
|--------|------------------|------|
|
||||
| Master encryption key (envelope encryption for MCP/SSH credentials) | `data/secrets/master.key` | `0600` |
|
||||
| MCP credential key | `data/secrets/mcp.key` | `0600` |
|
||||
| Session secret (signs login cookies; auto-generated when `auth.session_secret` is unset) | `data/secrets/session-secret.key` | `0600` |
|
||||
| Web Push (VAPID) keypair | `data/secrets/vapid.json` | `0600` |
|
||||
| Self-signed TLS material | `data/tls/` | `0600` keys |
|
||||
|
||||
`config.yaml` may hold a provider `api_key`, so the setup tooling writes it
|
||||
`0600`. These paths are excluded from version control (`.gitignore`) and from
|
||||
the Docker build context (`.dockerignore`); never commit them or bake them into
|
||||
an image.
|
||||
|
||||
Operational guidance:
|
||||
|
||||
- **Set a stable `auth.session_secret`** (or rely on the persisted
|
||||
`data/secrets/session-secret.key`) so restarts don't invalidate sessions; in a
|
||||
multi-node deployment, share the same secret across nodes.
|
||||
- **The data directory is sensitive.** Back it up with the same care as a
|
||||
password store; restrict filesystem access to the service user.
|
||||
- **Core dumps are excluded** from the repository because they can contain the
|
||||
decrypted master key, SSH private keys, and the session secret in process
|
||||
memory. Keep them out of any artifact you share.
|
||||
- **Rotate after suspected exposure** and review the audit log.
|
||||
- Sensitive values are masked in the Settings UI and the config API responses;
|
||||
do not paste unmasked secrets into issues or logs.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user