certctl

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 20:41:30 +00:00

Files

T

shankar0123 7e2481b225 fix(deploy): SEC-014 — loopback-bind Postgres host port in compose files

Acquisition-audit SEC-014 closure (Sprint 2 ACQ, 2026-05-16).

Both deploy/docker-compose.yml and deploy/docker-compose.test.yml
published Postgres on `5432:5432` — the short Docker port-mapping
form, which binds to 0.0.0.0 by default. On any host with a
public-facing NIC, that quietly exposed the Postgres TCP listener to
the internet. The certctl-server-to-postgres traffic itself goes over
the `certctl-network` Docker bridge, not the host port; the host
port mapping is a convenience for operator psql access and for the
integration-test runner that lives on the host.

Switch both mappings to `127.0.0.1:5432:5432` (loopback-only).
Operator psql via `localhost` keeps working; the integration-test
runner keeps working; cross-host exposure goes away.

Audit trail: docs/operator/security.md (Postgres transport encryption
subsection, SEC-014 paragraph).

2026-05-16 17:12:42 +00:00

helm

fix(helm): DEPL-003 + DEPL-006 — render viaHook env, sessionAffinity, HA backend default

2026-05-16 04:30:37 +00:00

test

docs(scale): TEST-005 — split scale baseline into its own canonical record

2026-05-16 05:19:57 +00:00

.env.example

fix(security): close BUNDLE 2 — safe first run, demo mode, agent bootstrap

2026-05-13 00:14:59 +00:00

demo-up.sh

fix(deploy): wire CERTCTL_DEMO_MODE_ACK_TS into the demo overlay path