Public-flip audit: env-driven paths, scrub audit-ticket prefixes, terser README

the host bind paths + LAN host pins replaced with env defaults. Repository URLs
→ git.sulkta.com. Audit-changelog scaffolding stripped from inline comments
(technical reasoning preserved). README sheds marketing scaffolding. AI-speak
in load-bearing prompts/SOULs left alone — that IS the product.
This commit is contained in:
Sulkta 2026-05-27 11:42:56 -07:00
parent e8365a3c51
commit 9328374cf3
13 changed files with 196 additions and 265 deletions

View file

@ -1,6 +1,5 @@
# Cauldron — copy to /srv/secrets/cauldron.env
# (chmod 600, root:root). Some values are already populated by the deploy
# bootstrap (CLAWDFORGE_*); fill in the rest before first start.
# Cauldron — copy to .env (chmod 600). Point compose at it via
# CAULDRON_ENV_FILE if you keep it elsewhere.
# Flask
SECRET_KEY=change-me-32-bytes-of-entropy
@ -9,11 +8,11 @@ SECRET_KEY=change-me-32-bytes-of-entropy
BIND_HOST=0.0.0.0
BIND_PORT=7790
# Mealie (mealie.example.com is already wired with Authentik OIDC)
# Mealie
MEALIE_BASE_URL=https://mealie.example.com
MEALIE_API_TOKEN=
# clawdforge (centralized claude-runner service)
# clawdforge (claude-runner HTTP service)
CLAWDFORGE_URL=http://clawdforge:8800
CLAWDFORGE_TOKEN=
DEFAULT_MODEL=sonnet
@ -22,13 +21,14 @@ DEFAULT_TIMEOUT_SECS=120
# Admin bearer for batch ops (sterilize-all, etc.) — separate from user OIDC
ADMIN_BEARER=change-me-this-is-the-cauldron-admin-batch-token
# Authentik OIDC (provisioned 2026-04-28; client_id + secret minted by Authentik)
# Authentik OIDC (or any OIDC provider that exposes
# /.well-known/openid-configuration)
OIDC_ISSUER=https://auth.example.com/application/o/cauldron/
OIDC_CLIENT_ID=
OIDC_CLIENT_SECRET=
OIDC_REDIRECT_URI=http://0.0.0.0:7790/auth/callback
OIDC_REDIRECT_URI=http://localhost:7790/auth/callback
# DB (mariadb on the sulkta bridge)
# DB
DB_HOST=mariadb
DB_PORT=3306
DB_NAME=cauldron
@ -39,28 +39,26 @@ DB_PASSWORD=
# Generate with: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
CAULDRON_FERNET_KEY=
# --- Public-deploy hardening (added 2026-05-02 CVE audit) ---
# Comma-separated list of authentik subjects who get the operator-tier
# /me admin tools panel (consolidate, discover scrape). Empty = nobody.
# Alice's authentik sub goes here for production.
# --- Public-deploy hardening ---
# Comma-separated list of OIDC subjects who get the operator-tier /me
# admin tools panel (consolidate, discover scrape). Empty = nobody.
CAULDRON_ADMIN_SUBS=
# External base URL where cauldron is reachable. Set to your public host
# (e.g. https://cauldron.example.com) when going public; leave empty for
# LAN-only HTTP. When set: enables CSRF Origin guard, HSTS, secure cookie.
# External base URL where cauldron is reachable (e.g. https://cauldron.example.com).
# Leave empty for LAN-only HTTP. When set: enables CSRF Origin guard,
# HSTS, secure cookie.
CAULDRON_BASE_URL=
# Whether the deploy is fronted by TLS (the reverse proxy apache → cauldron over
# the container network). Independent toggle from base_url so dev/staging can override.
# When true: SESSION_COOKIE_SECURE=True, HSTS header emitted.
# Whether the deploy is fronted by TLS. Independent toggle from base_url
# so dev/staging can override. When true: SESSION_COOKIE_SECURE=True,
# HSTS header emitted.
CAULDRON_BEHIND_TLS=false
# Comma-separated CIDR list of trusted proxies whose X-Forwarded-* we
# honor. Empty = trust nothing → ProxyFix is OFF and X-Forwarded-* are
# stripped from every request. For the reverse-proxy→app deploy,
# set this to the reverse proxy's internal IP (e.g. 10.20.30.1/32). Any
# X-Forwarded-* from a peer outside this list gets dropped before
# ProxyFix sees it.
# stripped from every request. Set this to the reverse-proxy peer's
# address (e.g. 10.20.30.1/32). Any X-Forwarded-* from a peer outside
# this list gets dropped before ProxyFix sees it.
CAULDRON_TRUSTED_PROXIES=
# bugs.sulkta.com integration. Per-service key minted via: