deploy(chat): SEC-3 /api/memory + MCP write-tool auth -> v20260619-sec3-5a8859b
Closes the live anon /api/memory GET leak (PR #25, 5a8859b). Image built+imported (RKE2 socket). 0 anon consumers verified; UI reads via DI. Fail-closed 401, scheme reg'd unconditionally. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Andrew Stoltz
committed by
Andrew Stoltz
Andrew Stoltz
parent
62a3e75ddc
commit
0c03e53df9
@@ -83,7 +83,7 @@
|
||||
}
|
||||
}
|
||||
],
|
||||
"image": "localhost/fc-chat-web:v20260617-chatfix-54fd549",
|
||||
"image": "localhost/fc-chat-web:v20260619-sec3-5a8859b",
|
||||
"imagePullPolicy": "Never",
|
||||
"livenessProbe": {
|
||||
"failureThreshold": 3,
|
||||
@@ -98,22 +98,22 @@
|
||||
"timeoutSeconds": 5
|
||||
},
|
||||
"name": "chat-web",
|
||||
"ports": [
|
||||
{
|
||||
"containerPort": 8080,
|
||||
"name": "http",
|
||||
"protocol": "TCP"
|
||||
}
|
||||
],
|
||||
"securityContext": {
|
||||
"allowPrivilegeEscalation": false,
|
||||
"capabilities": {
|
||||
"drop": [
|
||||
"ALL"
|
||||
]
|
||||
},
|
||||
"readOnlyRootFilesystem": true
|
||||
},
|
||||
"ports": [
|
||||
{
|
||||
"containerPort": 8080,
|
||||
"name": "http",
|
||||
"protocol": "TCP"
|
||||
}
|
||||
],
|
||||
"securityContext": {
|
||||
"allowPrivilegeEscalation": false,
|
||||
"capabilities": {
|
||||
"drop": [
|
||||
"ALL"
|
||||
]
|
||||
},
|
||||
"readOnlyRootFilesystem": true
|
||||
},
|
||||
"readinessProbe": {
|
||||
"failureThreshold": 6,
|
||||
"httpGet": {
|
||||
@@ -138,49 +138,49 @@
|
||||
},
|
||||
"terminationMessagePath": "/dev/termination-log",
|
||||
"terminationMessagePolicy": "File",
|
||||
"volumeMounts": [
|
||||
{
|
||||
"mountPath": "/data",
|
||||
"name": "data"
|
||||
},
|
||||
{
|
||||
"mountPath": "/tmp",
|
||||
"name": "temp"
|
||||
},
|
||||
{
|
||||
"mountPath": "/app/logs",
|
||||
"name": "logs"
|
||||
}
|
||||
]
|
||||
"volumeMounts": [
|
||||
{
|
||||
"mountPath": "/data",
|
||||
"name": "data"
|
||||
},
|
||||
{
|
||||
"mountPath": "/tmp",
|
||||
"name": "temp"
|
||||
},
|
||||
{
|
||||
"mountPath": "/app/logs",
|
||||
"name": "logs"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"dnsPolicy": "ClusterFirst",
|
||||
"restartPolicy": "Always",
|
||||
"schedulerName": "default-scheduler",
|
||||
"securityContext": {
|
||||
"fsGroup": 1654,
|
||||
"fsGroupChangePolicy": "OnRootMismatch",
|
||||
"runAsGroup": 1654,
|
||||
"runAsNonRoot": true,
|
||||
"runAsUser": 1654
|
||||
},
|
||||
"securityContext": {
|
||||
"fsGroup": 1654,
|
||||
"fsGroupChangePolicy": "OnRootMismatch",
|
||||
"runAsGroup": 1654,
|
||||
"runAsNonRoot": true,
|
||||
"runAsUser": 1654
|
||||
},
|
||||
"terminationGracePeriodSeconds": 30,
|
||||
"volumes": [
|
||||
{
|
||||
"name": "data",
|
||||
"persistentVolumeClaim": {
|
||||
"claimName": "chat-web-data"
|
||||
}
|
||||
},
|
||||
{
|
||||
"emptyDir": {},
|
||||
"name": "temp"
|
||||
},
|
||||
{
|
||||
"emptyDir": {},
|
||||
"name": "logs"
|
||||
}
|
||||
]
|
||||
{
|
||||
"name": "data",
|
||||
"persistentVolumeClaim": {
|
||||
"claimName": "chat-web-data"
|
||||
}
|
||||
},
|
||||
{
|
||||
"emptyDir": {},
|
||||
"name": "temp"
|
||||
},
|
||||
{
|
||||
"emptyDir": {},
|
||||
"name": "logs"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user