Charon

akanealw/Charon

Fork 0

Commit Graph

Author	SHA1	Message	Date
GitHub Actions	2f44da2c34	feat(security): add plugin signature allowlisting and security hardening Implement Phase 3 of Custom DNS Provider Plugin Support with comprehensive security controls for external plugin loading. Add CHARON_PLUGIN_SIGNATURES env var for SHA-256 signature allowlisting Support permissive (unset), strict ({}), and allowlist modes Add directory permission verification (reject world-writable) Configure container with non-root user and read-only plugin mount option Add 22+ security tests for permissions, signatures, and allowlist logic Create plugin-security.md operator documentation Security controls: Signature verification with sha256: prefix requirement World-writable directory rejection Non-root container execution (charon user UID 1000) Read-only mount support for production deployments Documented TOCTOU mitigation with atomic deployment workflow	2026-01-14 19:59:41 +00:00
GitHub Actions	33bb3d1deb	chore: add CHARON_ENCRYPTION_KEY to all Docker Compose files and README - Add encryption key environment variable to docker-compose.yml, docker-compose.dev.yml, docker-compose.local.yml, docker-compose.test.yml - Update README.md Quick Start examples (compose and docker run) - Include generation instructions: openssl rand -base64 32 Required for DNS provider and plugin features which encrypt sensitive data at rest.	2026-01-08 23:22:00 +00:00
GitHub Actions	05c2045f06	chore: reorganize repository structure - Move docker-compose files to .docker/compose/ - Move docker-entrypoint.sh to .docker/ - Move DOCKER.md to .docker/README.md - Move 16 implementation docs to docs/implementation/ - Delete test artifacts (block_test.txt, caddy_*.json) - Update all references in Dockerfile, Makefile, tasks, scripts - Add .github/instructions/structure.instructions.md for enforcement - Update CHANGELOG.md Root level reduced from 81 items to ~35 visible items.	2025-12-21 04:57:31 +00:00

Author

SHA1

Message

Date

GitHub Actions

2f44da2c34

feat(security): add plugin signature allowlisting and security hardening

Implement Phase 3 of Custom DNS Provider Plugin Support with comprehensive
security controls for external plugin loading.

Add CHARON_PLUGIN_SIGNATURES env var for SHA-256 signature allowlisting
Support permissive (unset), strict ({}), and allowlist modes
Add directory permission verification (reject world-writable)
Configure container with non-root user and read-only plugin mount option
Add 22+ security tests for permissions, signatures, and allowlist logic
Create plugin-security.md operator documentation
Security controls:

Signature verification with sha256: prefix requirement
World-writable directory rejection
Non-root container execution (charon user UID 1000)
Read-only mount support for production deployments
Documented TOCTOU mitigation with atomic deployment workflow

2026-01-14 19:59:41 +00:00

GitHub Actions

33bb3d1deb

chore: add CHARON_ENCRYPTION_KEY to all Docker Compose files and README

- Add encryption key environment variable to docker-compose.yml,
  docker-compose.dev.yml, docker-compose.local.yml, docker-compose.test.yml
- Update README.md Quick Start examples (compose and docker run)
- Include generation instructions: openssl rand -base64 32

Required for DNS provider and plugin features which encrypt sensitive data at rest.

2026-01-08 23:22:00 +00:00

GitHub Actions

05c2045f06

chore: reorganize repository structure

- Move docker-compose files to .docker/compose/
- Move docker-entrypoint.sh to .docker/
- Move DOCKER.md to .docker/README.md
- Move 16 implementation docs to docs/implementation/
- Delete test artifacts (block_test.txt, caddy_*.json)
- Update all references in Dockerfile, Makefile, tasks, scripts
- Add .github/instructions/structure.instructions.md for enforcement
- Update CHANGELOG.md

Root level reduced from 81 items to ~35 visible items.

2025-12-21 04:57:31 +00:00

3 Commits