feat: break-glass security reset
Implement dual-registry container publishing to both GHCR and Docker Hub
for maximum distribution reach. Add emergency security reset endpoint
("break-glass" mechanism) to recover from ACL lockout situations.
Key changes:
Docker Hub + GHCR dual publishing with Cosign signing and SBOM
Emergency reset endpoint POST /api/v1/emergency/security-reset
Token-based authentication bypasses Cerberus middleware
Rate limited (5/hour) with audit logging
30 new security enforcement E2E tests covering ACL, WAF, CrowdSec,
Rate Limiting, Security Headers, and Combined scenarios
Fixed container startup permission issue (tmpfs directory ownership)
Playwright config updated with testIgnore for browser projects
Security: Token via CHARON_EMERGENCY_TOKEN env var (32+ chars recommended)
Tests: 689 passed, 86% backend coverage, 85% frontend coverage
This commit is contained in:
GitHub Actions
42
.env.example
Normal file
42
.env.example
Normal file
@@ -0,0 +1,42 @@
|
||||
# Charon Environment Configuration Example
|
||||
# =========================================
|
||||
# Copy this file to .env and configure with your values.
|
||||
# Never commit your actual .env file to version control.
|
||||
|
||||
# =============================================================================
|
||||
# Required Configuration
|
||||
# =============================================================================
|
||||
|
||||
# Database encryption key - 32 bytes base64 encoded
|
||||
# Generate with: openssl rand -base64 32
|
||||
CHARON_ENCRYPTION_KEY=
|
||||
|
||||
# =============================================================================
|
||||
# Emergency Reset Token (Break-Glass Recovery)
|
||||
# =============================================================================
|
||||
|
||||
# Emergency reset token - minimum 32 characters
|
||||
# Used for break-glass recovery when locked out by ACL or other security modules.
|
||||
# This token allows bypassing all security mechanisms to regain access.
|
||||
#
|
||||
# SECURITY WARNING: Keep this token secure and rotate it periodically.
|
||||
# Only use this endpoint in genuine emergency situations.
|
||||
#
|
||||
# Generate with: openssl rand -hex 32
|
||||
CHARON_EMERGENCY_TOKEN=
|
||||
|
||||
# =============================================================================
|
||||
# Optional Configuration
|
||||
# =============================================================================
|
||||
|
||||
# Server port (default: 8080)
|
||||
# CHARON_HTTP_PORT=8080
|
||||
|
||||
# Database path (default: /app/data/charon.db)
|
||||
# CHARON_DB_PATH=/app/data/charon.db
|
||||
|
||||
# Enable debug mode (default: 0)
|
||||
# CHARON_DEBUG=0
|
||||
|
||||
# Use ACME staging environment (default: false)
|
||||
# CHARON_ACME_STAGING=false
|
||||
Reference in New Issue
Block a user