v0.5.16 — dashboard hardening + audit journal
Security hardening release. Pure additive: no behaviour regressions,
no breaking API changes.
Added
- Dashboard hardening middleware (
coolstep/dashboard/security.py)
— validates the HTTPHostheader on every request and theOrigin
/Sec-Fetch-Siteheaders on mutating endpoints. Non-browser clients
(curl, systemd timers, internal CLI) are unaffected. coolstep-dashboard --allow-publicbind guard. Non-loopback
--hostnow requires the explicit flag.--allow-host <fqdn>
extends theHostallowlist for reverse-proxy deployments.- Mode-switch audit journal —
/api/mode/{cool,quiet,off}append
toactuator-journal.jsonlwith prior mode + peer +X-Forwarded-For.
Surfaced by/api/actuator-journalandcoolstep inspect. SECURITY.md+docs/security.md— single-user trust model + how
to plug an authentication layer upstream.docs/headless-deployment.md— SSH-tunnel, reverse-proxy-with-auth,
and WireGuard deployment patterns.- README § 08 — short pointer to the security model.
Trust model
coolstep is a single-user local daemon. The dashboard binds
127.0.0.1:18889 by default; loopback is the gate. Authentication for
remote exposure is the operator's choice — the daemon stays small-scope
and pluggable. See docs/security.md for the
recommended patterns.
Tests
19 new cases in tests/dashboard/test_security.py covering middleware
behaviour, bind guard, and audit journal. 908/908 green.
Diff
12 files, +808 / −18 LOC vs v0.5.15. No data/ or internal files.