Merged
Conversation
Signed-off-by: Herklos <herklos@drakkar.software>
Herklos
force-pushed
the
feature/add-sync-infra
branch
2 times, most recently
from
8faa2cd to
1db691a
Compare
GuillaumeDSM
approved these changes
Mar 20, 2026
| # Then encrypt: ansible-vault encrypt inventories/<env>/hosts.yml | ||
| # | ||
| # For a single-node dev setup, one host is enough. | ||
| # For staging/production, use 3+ nodes across different zones for redundancy. |
Herklos
force-pushed
the
feature/add-sync-infra
branch
from
1db691a to
a6669a2
Compare
…d member role Collections: - Add product-profiles collection with JSON Schema validation (name, description, website, twitter, tags) - Add product-logos binary collection with MIME type validation (PNG, JPEG, GIF, WebP) - Add product-versions collection with JSON Schema validation for version documents - Change signals readRoles from public to member (on-chain has_access gating) Role enricher: - Assign member role via on-chain has_access check (public products grant member to all, private to members only) - Owner now gets both owner and member roles Removed routes: - Remove all manual product routes (GET/PUT) — replaced by declarative Starfish collections - Remove unused /verify endpoint (auth handled by starfish role_resolver) - Remove app.state dependencies (object_store, registry, platform_pubkey) - Remove find_item helper (only used by deleted routes) Security: - Add security event logging for auth failures - Reduce auth timestamp window from 30s to 10s Nginx conf generator: - Escape regex metacharacters in storage paths to prevent injection - Validate collection names (alphanumeric/hyphens/underscores only) - Reject zero/negative rate limit values Infrastructure: - Restrict Garage RPC port (3901) to peer node IPs via firewall rules - Add no_log to sensitive Ansible tasks (key creation, .env render) - Add Docker network isolation (frontend/backend) - Add container resource limits and no-new-privileges security opt - Add nginx healthcheck - Pin ansible-core version - Add deployed collections.json with all product and user collections Tests: - Add role enricher tests for member and not-owner-no-access scenarios - Add nginx conf injection and edge case tests - Update collection count and role assertions for new collections Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Herklos
force-pushed
the
feature/add-sync-infra
branch
from
a6669a2 to
7e37acb
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Requires Drakkar-Software/Starfish#2