Security
- Enforce 16-byte AES-GCM authentication tags and strict encrypted-payload validation.
- Make setup-token creation race-free and keep data directories, database files, instance secrets, and setup tokens private by default.
- Bound correlation IDs, redact credentials from errors and events, disable API response caching, and apply instance-wide admin authentication throttling.
- Cancel expired QR login polling and reject stale authentication events.
- Validate proxy trust as an exact hop count or trusted IP/CIDR list; use
TRUST_PROXY=1for one reverse proxy.
Container and supply chain
- Pin Node.js 22.23.1 by multi-architecture digest and remove npm, Corepack, and Yarn from the runtime image.
- Run with UID/GID 10001, a read-only root filesystem, all capabilities dropped, and a 256-process limit.
- Gate releases with dependency audit, Trivy HIGH/CRITICAL scanning, amd64 smoke tests, and SHA-pinned GitHub Actions.
- Publish linux/amd64 and linux/arm64 images with SBOM, provenance, and GitHub artifact attestations.
Deployment
- GHCR tags:
1.0.3,1.0, andlatest. - The included Compose files are updated for VPS and Unraid deployments, including safer backups and a Community Apps template.
- Existing clones must rebase or clone again because historical commit metadata and earlier release tags were rewritten to remove a private author email. File contents of the rewritten commits are unchanged.
Verify the image with:
gh attestation verify oci://ghcr.io/ill-yes/steam-bee:1.0.3 --repo ill-yes/steam-bee