deploy(chat): SEC-3 /api/memory + MCP write-tool auth -> v20260619-sec3-5a8859b
Closes the live anon /api/memory GET leak (PR #25, 5a8859b). Image built+imported (RKE2 socket). 0 anon consumers verified; UI reads via DI. Fail-closed 401, scheme reg'd unconditionally. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Andrew Stoltz
committed by
Andrew Stoltz
Andrew Stoltz
parent
62a3e75ddc
commit
0c03e53df9
@@ -83,7 +83,7 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"image": "localhost/fc-chat-web:v20260617-chatfix-54fd549",
|
"image": "localhost/fc-chat-web:v20260619-sec3-5a8859b",
|
||||||
"imagePullPolicy": "Never",
|
"imagePullPolicy": "Never",
|
||||||
"livenessProbe": {
|
"livenessProbe": {
|
||||||
"failureThreshold": 3,
|
"failureThreshold": 3,
|
||||||
@@ -98,22 +98,22 @@
|
|||||||
"timeoutSeconds": 5
|
"timeoutSeconds": 5
|
||||||
},
|
},
|
||||||
"name": "chat-web",
|
"name": "chat-web",
|
||||||
"ports": [
|
"ports": [
|
||||||
{
|
{
|
||||||
"containerPort": 8080,
|
"containerPort": 8080,
|
||||||
"name": "http",
|
"name": "http",
|
||||||
"protocol": "TCP"
|
"protocol": "TCP"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"securityContext": {
|
"securityContext": {
|
||||||
"allowPrivilegeEscalation": false,
|
"allowPrivilegeEscalation": false,
|
||||||
"capabilities": {
|
"capabilities": {
|
||||||
"drop": [
|
"drop": [
|
||||||
"ALL"
|
"ALL"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"readOnlyRootFilesystem": true
|
"readOnlyRootFilesystem": true
|
||||||
},
|
},
|
||||||
"readinessProbe": {
|
"readinessProbe": {
|
||||||
"failureThreshold": 6,
|
"failureThreshold": 6,
|
||||||
"httpGet": {
|
"httpGet": {
|
||||||
@@ -138,49 +138,49 @@
|
|||||||
},
|
},
|
||||||
"terminationMessagePath": "/dev/termination-log",
|
"terminationMessagePath": "/dev/termination-log",
|
||||||
"terminationMessagePolicy": "File",
|
"terminationMessagePolicy": "File",
|
||||||
"volumeMounts": [
|
"volumeMounts": [
|
||||||
{
|
{
|
||||||
"mountPath": "/data",
|
"mountPath": "/data",
|
||||||
"name": "data"
|
"name": "data"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"mountPath": "/tmp",
|
"mountPath": "/tmp",
|
||||||
"name": "temp"
|
"name": "temp"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"mountPath": "/app/logs",
|
"mountPath": "/app/logs",
|
||||||
"name": "logs"
|
"name": "logs"
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"dnsPolicy": "ClusterFirst",
|
"dnsPolicy": "ClusterFirst",
|
||||||
"restartPolicy": "Always",
|
"restartPolicy": "Always",
|
||||||
"schedulerName": "default-scheduler",
|
"schedulerName": "default-scheduler",
|
||||||
"securityContext": {
|
"securityContext": {
|
||||||
"fsGroup": 1654,
|
"fsGroup": 1654,
|
||||||
"fsGroupChangePolicy": "OnRootMismatch",
|
"fsGroupChangePolicy": "OnRootMismatch",
|
||||||
"runAsGroup": 1654,
|
"runAsGroup": 1654,
|
||||||
"runAsNonRoot": true,
|
"runAsNonRoot": true,
|
||||||
"runAsUser": 1654
|
"runAsUser": 1654
|
||||||
},
|
},
|
||||||
"terminationGracePeriodSeconds": 30,
|
"terminationGracePeriodSeconds": 30,
|
||||||
"volumes": [
|
"volumes": [
|
||||||
{
|
{
|
||||||
"name": "data",
|
"name": "data",
|
||||||
"persistentVolumeClaim": {
|
"persistentVolumeClaim": {
|
||||||
"claimName": "chat-web-data"
|
"claimName": "chat-web-data"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"emptyDir": {},
|
"emptyDir": {},
|
||||||
"name": "temp"
|
"name": "temp"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"emptyDir": {},
|
"emptyDir": {},
|
||||||
"name": "logs"
|
"name": "logs"
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user