Skip to content

docs: SECURITY-DEPLOY.md — self-hosting hardening checklist (refs #106)#108

Merged
hyperpolymath merged 2 commits into
mainfrom
audit/security-deploy
Jun 2, 2026
Merged

docs: SECURITY-DEPLOY.md — self-hosting hardening checklist (refs #106)#108
hyperpolymath merged 2 commits into
mainfrom
audit/security-deploy

Conversation

@hyperpolymath

@hyperpolymath hyperpolymath commented Jun 2, 2026

Copy link
Copy Markdown
Owner

DRAFT — please do not auto-merge.

Addresses concern 2 of #106 (self-audit, 2026-06-02).

Summary

Adds docs/SECURITY-DEPLOY.md — companion to THREAT-MODEL.adoc that
operationalises self-hosting hardening. Where the threat model
enumerates assets and threats, this document enumerates the concrete
controls a self-hoster must apply before going live.

Covers:

  • Pre-flight secrets-to-rotate table (Guardian, DB key, magic-link,
    Bolt TLS, HTTPS TLS, Phoenix secret_key_base, PAKE bootstrap).
  • Encryption-in-transit posture per channel (HTTPS, WSS, SRTP, QUIC).
  • Encryption-at-rest matrix per asset class — honest about current
    FDE-only state     for the message store, with application-level
    AES-GCM flagged as Earn-the-Core work.
  • Default-off opt-in features (recording, federation, LLM upstream).
  • One-command-deploy pre-flight checklist.

Scope discipline

  • Pure docs, ~116 LoC, single new file.
  • SPDX-License-Identifier: MPL-2.0 per estate policy.
  • No code or config changes — operationalising the threat model is
    the prerequisite to making the controls executable.

Follow-ups (not in this PR)

  • Application-level at-rest crypto for the VeriSimDB-backed message
    store (Earn-the-Core).
  • Boot-time check that refuses to start in MIX_ENV=prod when any
    required secret is missing (small Elixir change; separate PR).

Test plan

  • Owner review of the secrets table for accuracy against
    config/runtime.exs.
  • Cross-check at-rest matrix against current VeriSimDB capabilities.
  • Decide whether to wire a mix burble.security_check task in a
    follow-up.

Echo-types audit

Not relevant at this surface.

🤖 Generated with Claude Code

@hyperpolymath
docs: add SECURITY-DEPLOY.md self-hosting hardening checklist (refs #106
df39595 
)

Addresses concern 2 of #106 (self-audit). Companion to THREAT-MODEL.adoc:
operationalises pre-flight secrets-to-rotate, encryption-in-transit
posture, encryption-at-rest matrix per asset class, default-off opt-in
features, and a one-command-deploy checklist.

Honest about current at-rest state (FDE-only for message store;
application-level AES-GCM on Earn-the-Core roadmap).

Pure docs — no functional change.
@github-actions

github-actions Bot commented Jun 2, 2026

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 95 issues detected

Severity Count
🔴 Critical 3
🟠 High 7
🟡 Medium 85

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in affinescript-canary.yml",
    "type": "missing_timeout_minutes",
    "file": "affinescript-canary.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in affinescript-canary.yml",
    "type": "missing_timeout_minutes",
    "file": "affinescript-canary.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in boj-build.yml",
    "type": "missing_timeout_minutes",
    "file": "boj-build.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in casket-pages.yml",
    "type": "missing_timeout_minutes",
    "file": "casket-pages.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in casket-pages.yml",
    "type": "missing_timeout_minutes",
    "file": "casket-pages.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "missing_timeout_minutes",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "missing_timeout_minutes",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "missing_timeout_minutes",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "missing_timeout_minutes",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath marked this pull request as ready for review June 2, 2026 11:17
@hyperpolymath hyperpolymath enabled auto-merge (squash) June 2, 2026 11:18
@github-actions

github-actions Bot commented Jun 2, 2026

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 95 issues detected

Severity Count
🔴 Critical 3
🟠 High 7
🟡 Medium 85

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in affinescript-canary.yml",
    "type": "missing_timeout_minutes",
    "file": "affinescript-canary.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in affinescript-canary.yml",
    "type": "missing_timeout_minutes",
    "file": "affinescript-canary.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in boj-build.yml",
    "type": "missing_timeout_minutes",
    "file": "boj-build.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in casket-pages.yml",
    "type": "missing_timeout_minutes",
    "file": "casket-pages.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in casket-pages.yml",
    "type": "missing_timeout_minutes",
    "file": "casket-pages.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "missing_timeout_minutes",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "missing_timeout_minutes",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "missing_timeout_minutes",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "missing_timeout_minutes",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath merged commit 890c660 into main Jun 2, 2026
23 checks passed
@hyperpolymath hyperpolymath deleted the audit/security-deploy branch June 2, 2026 11:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath