fix(calm-hub): security hardening for ec2 stack and read-only deployment#2798
Merged
Conversation
Watchtower holds the Docker socket, so it must not auto-track a mutable latest tag.
rocketstack-matt
approved these changes
Jul 10, 2026
rocketstack-matt
left a comment
Member
There was a problem hiding this comment.
Verified the checksums vendored in install.sh against the real docker/compose v2.32.4 .sha256 release assets (match), confirmed the corrected watchtower README link resolves, and confirmed every handler under /api/calm/* already carries @authenticated or @PermissionsAllowed so the new coarse policy is a true no-op safety net.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Security scan of
calm-hub/ec2/and the calm-hub read-only deployment, with the low-risk hardening applied. Read-only enforcement itself was assessed as robust (global@PreMatchingverb filter + NitriteDB openedreadOnly(true)+chmod 0444DB file — no per-endpoint gaps found).Fixed:
nickfedor/watchtowerto1.19.0— the container holding the Docker socket no longer auto-tracks a mutablelatesttag (Watchtower never updates itself, so the pin is stable; bump instructions in compose comment + README)no-new-privileges+cap_drop: ALLto both ec2 services;read_onlyrootfs + tmpfs/tmponcalm-hub(native binary, baked-in read-only DB — nothing writes to disk)install.sh— previously fetched from the same host as the binary, which only proves transport integrityX-Content-Type-Options: nosniff+Referrer-Policy: no-referrerresponse headers (all profiles) and includeHEADin the header filter's method list/api/calm/*→authenticatedpath policy to the secure profile — safety net so a future unannotated endpoint is rejected rather than silently unauthenticated (every current method is annotated; no behaviour change)nickfedor→nicholas-fedor; old link 404s)Reviewed and accepted, no change (by design):
latest-read-only-nativetag (this is the feature;sha-*pinning documented)Type of Change
Affected Components
cli/)calm/)calm-ai/)calm-hub/)calm-hub-ui/)calm-server/)calm-widgets/)docs/)shared/)calm-plugins/vscode/)Commit Message Format ✅
fix(calm-hub): harden ec2 compose stack and pin watchtowerfix(calm-hub): add nosniff and referrer-policy security headersfix(calm-hub): add authenticated path policy for /api/calm in secure profileTesting
Verification performed:
../mvnw clean verify -Ddependency-check.skip=true— 2143 tests, 0 failures, JaCoCo coverage check greenlatest-read-only-nativeimage; fullsmoke-test.sh readonlypassed (all 405 assertions intact); Watchtower 1.19.0 healthy undercap_drop: ALLTestSecurityResponseHeadersShouldbash -n install.shcleanChecklist