Add comprehensive E2E testing infrastructure including:
docker-compose.playwright.yml for test environment orchestration
TestDataManager utility for per-test namespace isolation
Wait helpers for flaky test prevention
Role-based auth fixtures for admin/user/guest testing
GitHub Actions e2e-tests.yml with 4-shard parallelization
Health check utility for service readiness validation
Phase 0 of 10-week E2E testing plan (Supervisor approved 9.2/10)
All 52 existing E2E tests pass with new infrastructure
- Implement API tests for DNS Provider Types, validating built-in and custom providers.
- Create UI tests for provider selection, ensuring all types are displayed and descriptions are shown.
- Introduce fixtures for consistent test data across DNS Provider tests.
- Update manual DNS provider tests to improve structure and accessibility checks.
Implement Phase 3 of Custom DNS Provider Plugin Support with comprehensive
security controls for external plugin loading.
Add CHARON_PLUGIN_SIGNATURES env var for SHA-256 signature allowlisting
Support permissive (unset), strict ({}), and allowlist modes
Add directory permission verification (reject world-writable)
Configure container with non-root user and read-only plugin mount option
Add 22+ security tests for permissions, signatures, and allowlist logic
Create plugin-security.md operator documentation
Security controls:
Signature verification with sha256: prefix requirement
World-writable directory rejection
Non-root container execution (charon user UID 1000)
Read-only mount support for production deployments
Documented TOCTOU mitigation with atomic deployment workflow
- Add encryption key environment variable to docker-compose.yml,
docker-compose.dev.yml, docker-compose.local.yml, docker-compose.test.yml
- Update README.md Quick Start examples (compose and docker run)
- Include generation instructions: openssl rand -base64 32
Required for DNS provider and plugin features which encrypt sensitive data at rest.
