fix(ca): make CA path configurable and prevent encrypted keys
All checks were successful
CI Pipeline / Rust Format Check (push) Successful in 4s
CI Pipeline / Clippy Lints (push) Successful in 53s
CI Pipeline / Rust Unit Tests (push) Successful in 1m11s
CI Pipeline / Security Audit (push) Successful in 4s
CI Pipeline / Frontend Lint & Type Check (push) Successful in 14s
CI Pipeline / Build .deb & Release (push) Has been skipped
All checks were successful
CI Pipeline / Rust Format Check (push) Successful in 4s
CI Pipeline / Clippy Lints (push) Successful in 53s
CI Pipeline / Rust Unit Tests (push) Successful in 1m11s
CI Pipeline / Security Audit (push) Successful in 4s
CI Pipeline / Frontend Lint & Type Check (push) Successful in 14s
CI Pipeline / Build .deb & Release (push) Has been skipped
- main.rs: use config.security.ca_cert_path parent directory instead of hardcoded /etc/patch-manager/ca for CA initialization. - config.example.toml: add warning that CA key must be unencrypted PEM. - This prevents silent generation of a second CA on fresh installs and ensures the manager always uses the configured CA.
This commit is contained in:
@ -125,4 +125,17 @@ The Docker container intercepted some jobs and ran them in its Alpine environmen
|
||||
**Fix:** Added `img-src 'self' data:;` to the CSP directive.
|
||||
**Rule:** When someone says 'it's just a display issue,' focus on the code (CSP, CSS, rendering) — not infrastructure (caching, proxies, deployment).
|
||||
**Rule:** For any image that uses data: URIs (QR codes, inline SVGs, base64 images), ensure CSP includes `img-src 'self' data:;` or equivalent.
|
||||
**Status:** Active
|
||||
**Status:** Active
|
||||
|
||||
## 2026-05-18: Credential Bootstrap — Systemic Fix for Recurring Auth Failures
|
||||
**Pattern:** SSH keys and Vaultwarden access lost on every container restart. Repeated auth failures at session start across multiple sessions.
|
||||
**Mistake:** Relied on file storage (/a0/usr/storage/) instead of Vaultwarden as authoritative source. Didn't verify credentials before attempting SSH. Vaultwarden-secrets skill was missing from /a0/skills/.
|
||||
**Correction:** Kelly identified this as a systemic issue, not isolated incidents.
|
||||
**Fix applied:**
|
||||
1. Restored vaultwarden-secrets skill to /a0/skills/ from gitea repo
|
||||
2. Added Session Bootstrap section to 01-identity.md — auto-verify SSH keys, vw_client.py, bw CLI, and gitea key at chat start
|
||||
3. Updated Credential Type Registry in 02-architecture.md — Vaultwarden is authoritative source, /a0/usr/storage/ is backup only
|
||||
4. Installed pycryptodome dependency for vw_client.py
|
||||
**Rule:** At session start, run bootstrap checks silently. If ~/.ssh/id_ed25519 missing, retrieve from Vaultwarden via vw_client.py (not from file storage).
|
||||
**Rule:** vw_client.py is primary (sub-second). bw CLI is fallback only (9-12s per operation).
|
||||
**Status:** Active
|
||||
|
||||
Reference in New Issue
Block a user