Skip to content

security: deploy hardening (fail-closed bind, secret-backup ignores, deps)#95

Merged
tcconnally merged 1 commit into
mainfrom
fix/deploy-hardening
Jul 5, 2026
Merged

security: deploy hardening (fail-closed bind, secret-backup ignores, deps)#95
tcconnally merged 1 commit into
mainfrom
fix/deploy-hardening

Conversation

@tcconnally

Copy link
Copy Markdown
Contributor

Deploy hardening — HIGH #1/#2 + MED #9/#11 + LOW #15/#16/#17 (2026-07-05 review)

Closes the deploy-posture findings — the class most likely to bite an internal rollout.

Tests

268 pass (pytest tests/ -q), +5 in test_deploy_guard.py (refuses public+auth-off;
allows loopback / auth-on / explicit opt-in). Verified via CLI: serve --host 0.0.0.0 exits with a clear "refusing to serve" error; --allow-insecure and
127.0.0.1 start normally. Only config/Docker/CI files + the startup guard changed.

- HIGH #1/#2: refuse to bind a non-loopback host with auth disabled (serve()
  guard + --allow-insecure / PLUTUS_ALLOW_INSECURE opt-in). Stops docker compose
  up / serve --host 0.0.0.0 from publishing an open billing console; the demo
  image sets --allow-insecure since its data is disposable. Covers the auth
  default-off AND fail-off-on-misconfig cases.
- MED #9: .gitignore/.dockerignore matched only *.plutus-bak-*; the real backups
  are config.yaml.bak-<ts> (file-sourced secrets) -> now config.yaml* + *.bak-*.
- MED #11: dependency upper bounds (stripe<14, reportlab<5, PyYAML<7, pytest<10).
- LOW #15: alerts.require_tls (opt-in) fails closed if TLS can't be established.
- LOW #16: Dockerfile runs as a non-root user.
- LOW #17: PyYAML is a hard requirement at server start (no silent config degrade).
- #10: docs/deploy-hardening.md — safe-deploy checklist for operators.

268 tests pass (+5 guard tests). Addresses the deploy-posture findings from the
2026-07-05 security review.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@tcconnally tcconnally merged commit 04e62a2 into main Jul 5, 2026
8 checks passed
@tcconnally tcconnally deleted the fix/deploy-hardening branch July 5, 2026 18:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant