Kassinão v1.4.10
Immutable
release. Only release title and notes can be modified.
Added
- A separate
sharedproduction host adapter supports trusted same-operator workloads on one VPS without installing a Docker service drop-in or restarting the global Docker daemon. It usesdocker-compose.shared.yml, a LUKS2 file container mounted at the private data root, Kassinão-scoped host controls, the existing release deployer, and a read-only shared-host audit. migrate-shared-storage.shcopies an idle, exact plaintext runtime tree into a newly opened LUKS mapper, checks content and metadata before and after the mount switch, and preserves the original tree for explicit rollback and later private destruction.check-shared-migration-rollback.shvalidates fresh, pending, and purged migration states before deploy, backup, health, full audit, and host-control removal.finalize-shared-migration.shverifies the preserved tree against the encrypted manifest, removes the logical plaintext copy only under explicit confirmation, and publishes a sealed purged receipt without claiming forensic erasure.uninstall-shared-host-controls.shremoves only the verified shared-host controls after explicit confirmation, without stopping containers, restarting Docker, or deleting the release, encrypted storage, backing file, or secrets.
Changed
- Production configuration now selects
KASSINAO_HOST_SCOPE=dedicated|shared. The dedicated adapter remains the default and keeps its explicit dedicated-host acknowledgement; the shared adapter requires that acknowledgement to remain empty. Both adapters keep Git checkout and application source code off Kassinão's VPS paths and consume the verified operations bundle plus digest-pinned OCI image rather than cloning or building the project from Git. The bundle still contains public sealed Shell/Python controls, secret-free templates, and native runtimes; the shared adapter makes no source-layout claim about trusted neighboring workloads outside its boundary. - In shared mode,
app.envand the optional Cloudflare Tunnel token now live under the encrypted data root and reach only their intended container through read-only bind mounts. They are absent from the release environment and DockerConfig.Env. - README, security guidance, and bilingual product documentation now distinguish four configured HTTPS origins from their three-or-four hostnames, keep external origins separate from internal tunnel targets, and provide complete new-install, migration, finalization, and adapter-specific removal flows for an existing trusted shared VPS.
kassinao-mcp@1.0.8keeps the macOS process-identity probe on an exact, non-secret environment while preserving the existing fail-closed credential lock.
Security
- Official app containers now start through a multi-architecture static no-dump launcher. A constructor reapplies
PR_SET_DUMPABLE=0after each dynamicexecve; every service keeps a hard core limit, while app processes and the shared tunnel launcher also enforce a zero coredump filter. Local media/transcription children no longer inherit application credentials or operator-controlled loader/TLS configuration, and the macOS MCP credential lock no longer forwards the client environment tops. - Privileged operations scripts self-reexec through the architecture-matched runtime sealed in the operations-only bundle before reading secrets. The helper verifies the root-owned bundle, complete manifest, hashes, metadata, target script, and native ELF architecture before accepting its preload.
- The shared-host audit requires the privately managed, reboot-persistent host-global pair
kernel.core_pattern=/dev/nullandfs.suid_dumpable=0before runtime. The repository verifies but does not mutate these settings; prior values, neighbor impact, and recovery remain in the private instance runbook. - Shared-host containers use positive memory limits with
MemorySwap=Memory, swappiness0, and restart policyno, so they cannot silently restart before encrypted storage and scoped egress gates pass after a reboot. - The shared storage verifier proves the configured backing file, loop device, LUKS2 mapper/UUID, exact mount, safe mount flags, private runtime directories, and mount sentinel. Backing paths, mapper/UUID values, unlock material, secrets, and organization runbooks remain private instance configuration.
- A shared plaintext migration creates an encrypted pending marker with a bounded 1-168 hour deadline. An inconsistent or expired pending state fails closed; after independent application and backup validation, explicit finalization publishes the purged receipt. Logical deletion does not imply secure erase from SSDs, journals, snapshots, backups, or provider storage.
- The shared-host preflight reserves Kassinão's project, names, Linux bridges, Docker networks, protected paths, mounts, and environment allowlists before mutation. It rejects foreign privileged/device/Docker access, all added capabilities, host or container namespaces,
volumes-from, protected-storage overlap, or Kassinão-network membership. This adapter does not claim protection against host root, Docker administrators, or the infrastructure/hypervisor operator. - Privileged controls resolve each expected container to its immutable Docker ID, validate the exact Compose project and service labels, revalidate immediately before mutation, and then act only on that ID. A foreign container squatting on a reserved name fails closed before firewall or lifecycle changes.
- Full shared-host audits now require all three containers to be running, both application surfaces to be healthy, and their process limits and bounded
json-filerotation to match the release exactly. Host-control removal re-runs an ownership preflight immediately before its first mutation and refuses partial or foreign topology. - Health-watch failures trigger the fail-closed egress containment unit instead of leaving a failed shared instance reachable until the next timer run.
- Generic bot DMs no longer disclose the private app or MCP connection origin. Recording-specific DMs still revalidate current membership and ACL before sending a private link.
Imagem OCI multiarch por digest: ghcr.io/resolvicomai/kassinao@sha256:fdea5cc904c68110be81966f3cd5f9661010050e81a5d7498026c82d0203bb1d.
O kit operacional não contém checkout Git, código-fonte da aplicação nem credenciais; ele contém controles operacionais públicos selados, templates sem segredos e runtimes nativos. Verifique checksum e attestations antes do deploy. A imagem final passou pelo gate Trivy atual em amd64 e arm64.