diff --git a/.gitattributes b/.gitattributes index dcb9ec8..397178a 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,4 +1,5 @@ * text=auto eol=lf +*.sh text eol=lf *.png binary *.jpg binary diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..4292259 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,24 @@ +# Default review owner. This routes review; it does not create independence. +* @s00ly + +# Repository policy and automation. +/.github/** @s00ly +/LICENSE @s00ly +/DCO @s00ly +/GOVERNANCE.md @s00ly +/MAINTAINERS.md @s00ly +/CODE_OF_CONDUCT.md @s00ly +/BRAND_POLICY.md @s00ly + +# Security-sensitive implementation and release boundaries. +/cmd/netbroker/** @s00ly +/internal/auth/** @s00ly +/internal/egress/** @s00ly +/internal/secure/** @s00ly +/internal/store/** @s00ly +/deploy/** @s00ly +/infra/** @s00ly +/docs/SECURITY.md @s00ly +/docs/THREAT_MODEL.md @s00ly +/docs/VERIFICATION.md @s00ly +/scripts/** @s00ly diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml new file mode 100644 index 0000000..47933d2 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -0,0 +1,76 @@ +name: Dry-run bug report +description: Report a reproducible, non-exploitable defect in the dry-run repository. +title: "[Bug]: " +body: + - type: markdown + attributes: + value: | + Do not disclose vulnerabilities, credentials, private account identifiers, production VPN configuration, sensitive packet captures, or exploit paths here. Use GitHub Private Vulnerability Reporting instead. + - type: checkboxes + id: public_safety + attributes: + label: Public-report safety + options: + - label: This report contains no secret, real credential, private identifier, production configuration, sensitive capture, or exploitable detail. + required: true + - label: I reproduced this in a disposable dry-run environment without third-party accounts or infrastructure. + required: true + - type: input + id: commit + attributes: + label: Commit + description: Exact commit SHA or branch tested. + placeholder: a full Git commit SHA + validations: + required: true + - type: textarea + id: environment + attributes: + label: Sanitized environment + description: OS, architecture, Go version, and relevant dry-run settings. Do not paste an environment dump. + placeholder: Windows 11, amd64, Go 1.26.5, IVPN_DRY_RUN=true + validations: + required: true + - type: textarea + id: steps + attributes: + label: Reproduction + description: Minimal steps using synthetic data only. + validations: + required: true + - type: textarea + id: expected + attributes: + label: Expected result + validations: + required: true + - type: textarea + id: observed + attributes: + label: Observed result + description: Include sanitized error codes, not raw remote responses or secrets. + validations: + required: true + - type: textarea + id: evidence + attributes: + label: Verification evidence + description: List exact commands and sanitized output that support the report. + validations: + required: true + - type: dropdown + id: trust_boundary + attributes: + label: Affected boundary + options: + - UI or accessibility + - Approval or state machine + - Authentication or session + - Encrypted storage or retention + - Egress selection or broker contract + - X protocol dry-run module + - Nostr protocol dry-run module + - Build, CI, or documentation + - Unknown + validations: + required: true diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000..0e1f34f --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,8 @@ +blank_issues_enabled: false +contact_links: + - name: Private vulnerability report + url: https://github.com/s00ly/nomadposting/security/advisories/new + about: Report exploitable security issues privately. Do not include secrets unless requested. + - name: Security policy and research boundaries + url: https://github.com/s00ly/nomadposting/blob/main/docs/SECURITY.md + about: Read the authorized-testing and disclosure requirements before reporting. diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml new file mode 100644 index 0000000..f672ebc --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -0,0 +1,52 @@ +name: Feature proposal +description: Propose an in-scope feature with security and privacy effects. +title: "[Feature]: " +body: + - type: markdown + attributes: + value: | + NomadPosting supports one operator, one X account through a stable France exit, one Nostr identity with approved country rotation, and official APIs only. Proposals for account fleets, browser or cookie automation, CAPTCHA handling, residential proxies, misleading location claims, platform-control circumvention, nsec storage, or blind resend are out of scope. + - type: checkboxes + id: scope + attributes: + label: Scope confirmation + options: + - label: This proposal stays within the documented single-account, official-API, fail-closed boundaries. + required: true + - label: This issue contains no secret, real credential, private identifier, production configuration, or exploitable detail. + required: true + - type: textarea + id: problem + attributes: + label: Problem + description: Describe the user or verification problem, not only a preferred implementation. + validations: + required: true + - type: textarea + id: acceptance + attributes: + label: Acceptance evidence + description: Name observable behavior and reproducible proof. + validations: + required: true + - type: textarea + id: security + attributes: + label: Security and privacy impact + description: Name affected trust boundaries, data, credentials, egress, logs, and failure states. + validations: + required: true + - type: textarea + id: alternatives + attributes: + label: Alternatives and dependencies + description: Compare simpler approaches and identify any proposed dependency. + validations: + required: true + - type: textarea + id: non_goals + attributes: + label: Non-goals + description: State what the proposal will not do or claim. + validations: + required: true diff --git a/.github/ISSUE_TEMPLATE/threat_model_review.yml b/.github/ISSUE_TEMPLATE/threat_model_review.yml new file mode 100644 index 0000000..310f6ce --- /dev/null +++ b/.github/ISSUE_TEMPLATE/threat_model_review.yml @@ -0,0 +1,49 @@ +name: Threat-model challenge +description: Challenge a trust boundary, abuse case, residual risk, or release proof. +title: "[Threat model]: " +body: + - type: markdown + attributes: + value: | + Public issues are for non-exploitable design review. Submit vulnerabilities privately. Do not test X, Nostr relays, VPN providers, cloud systems, accounts, or other third-party infrastructure without authorization. + - type: checkboxes + id: public_safety + attributes: + label: Public-report safety + options: + - label: This proposal contains no exploitable detail, secret, private identifier, or unauthorized third-party test result. + required: true + - type: input + id: document + attributes: + label: Document or code reference + description: Link the exact section, file, or commit. + validations: + required: true + - type: textarea + id: hypothesis + attributes: + label: Hypothesis + description: State the possible failure or false assumption without presenting it as confirmed. + validations: + required: true + - type: textarea + id: assets + attributes: + label: Assets and actors + description: Name the affected asset, attacker capability, and trust boundary. + validations: + required: true + - type: textarea + id: proof + attributes: + label: Safe proof plan + description: Describe a disposable, authorized test that could confirm or reject the hypothesis. + validations: + required: true + - type: textarea + id: impact + attributes: + label: Potential impact and fail-closed expectation + validations: + required: true diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..90dfa80 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,39 @@ +## Summary + +Describe the behavior changed and why. + +## Linked decision + +Link the issue, release gate, or ADR. Explain why this belongs in the current +scope. + +## Trust-boundary impact + +Name affected credentials, network paths, stored data, user claims, and failure +states. Write `None` only after checking the threat model. + +## Dependency decision + +For each added or upgraded dependency, compare alternatives, maintenance, +license, vulnerabilities, transitive footprint, network behavior, CI access, +and compromise blast radius. Write `None` if no dependency changed. + +## Verification + +List exact commands, environments, artifacts, and results. + +## Release effect + +State which release gates remain open. Do not claim live or production +readiness unless every required artifact is linked. + +## Checklist + +- [ ] Tests and documentation match the changed behavior. +- [ ] No secret, private key, token, or exploitable detail is included. +- [ ] New dependencies include alternatives, license, security, and blast-radius review. +- [ ] Security-sensitive changes name the threat, trust boundary, and negative tests. +- [ ] Medium-or-higher findings reopened the affected adversarial rounds. +- [ ] User-facing privacy, location, and readiness claims are evidence-backed. +- [ ] Relevant threat model, security policy, ADR, deployment, and verification records are updated. +- [ ] Every commit has the author-matching `Signed-off-by:` trailer required by the DCO. diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 22a0db7..9712d0e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,6 +26,13 @@ jobs: - name: Verify module checksums run: go mod verify + - name: Test DCO enforcement + run: bash ./scripts/check-dco-tests.sh + + - name: Check dependency licenses + timeout-minutes: 5 + run: bash ./scripts/check-licenses.sh + - name: Reject unformatted Go run: test -z "$(gofmt -l ./cmd ./internal)" diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml new file mode 100644 index 0000000..61e42c7 --- /dev/null +++ b/.github/workflows/dco.yml @@ -0,0 +1,27 @@ +name: dco + +on: + pull_request: + +permissions: + contents: read + +jobs: + signoff: + runs-on: ubuntu-24.04 + timeout-minutes: 5 + steps: + - name: Checkout full history + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + + - name: Test DCO enforcement + run: bash ./scripts/check-dco-tests.sh + + - name: Verify DCO sign-offs + env: + BASE_SHA: ${{ github.event.pull_request.base.sha }} + HEAD_SHA: ${{ github.event.pull_request.head.sha }} + run: bash ./scripts/check-dco.sh "$BASE_SHA" "$HEAD_SHA" diff --git a/BRAND_POLICY.md b/BRAND_POLICY.md new file mode 100644 index 0000000..c37dab8 --- /dev/null +++ b/BRAND_POLICY.md @@ -0,0 +1,29 @@ +# NomadPosting Name and Provenance Policy + +The AGPL governs software rights. It does not grant a right to imply that a +modified build, service, organization, or security assessment is official or +endorsed by this repository. + +## Accurate descriptive use + +Forks and reviews may truthfully say that they are based on NomadPosting, link +to this repository, identify the commit used, and describe their changes. + +Modified versions should use a distinct name and presentation when a reasonable +user could otherwise mistake them for an official project build or service. +They must not claim that this project's maintainers reviewed, secured, +certified, or endorsed the modification unless that statement is documented by +the maintainers. + +## Official status + +Official project state is limited to the `s00ly/nomadposting` repository and +release artifacts explicitly published from it. No production release exists +today. A fork, mirror, package, deployment, or social account is not official +merely because it uses the same code or name. + +## Scope + +This policy protects accurate provenance. It is not an additional restriction +on using, studying, modifying, or sharing the AGPL-covered software. It does +not claim that any name or logo is registered as a trademark. diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..a7d0fa2 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,115 @@ +# Code of Conduct + +## Our pledge + +We pledge to make participation in NomadPosting a harassment-free experience +for everyone, regardless of age, body size, visible or invisible disability, +ethnicity, sex characteristics, gender identity and expression, level of +experience, education, socioeconomic status, nationality, personal appearance, +race, caste, color, religion, or sexual identity and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. + +## Our standards + +Examples of behavior that contributes to a positive environment include: + +- demonstrating empathy and kindness toward other people; +- respecting differing opinions, viewpoints, and experiences; +- giving and gracefully accepting constructive feedback; +- accepting responsibility and apologizing to those affected by our mistakes; +- focusing on what is best for the overall community. + +Examples of unacceptable behavior include: + +- sexualized language or imagery, sexual attention, or advances of any kind; +- trolling, insulting or derogatory comments, and personal or political attacks; +- public or private harassment; +- publishing another person's private information without explicit permission; +- other conduct that could reasonably be considered inappropriate in a + professional setting. + +## Enforcement responsibilities + +Project maintainers are responsible for clarifying and enforcing these +standards. They may remove, edit, or reject comments, commits, code, wiki edits, +issues, and other contributions that are not aligned with this Code of Conduct. +They will communicate reasons for moderation decisions when appropriate. + +## Scope + +This Code of Conduct applies within all project spaces and when an individual is +officially representing the project in public spaces. Examples include using an +official project account or acting as an appointed representative at an event. + +## Reporting + +Report Code of Conduct concerns privately to +[yloos@protonmail.com](mailto:yloos@protonmail.com). Include enough context to +understand the incident, but do not send credentials, private keys, or other +unnecessary sensitive data. + +This address is for conduct matters only. Report vulnerabilities through +[GitHub Private Vulnerability Reporting](https://github.com/s00ly/nomadposting/security/advisories/new) +as described in [the security policy](docs/SECURITY.md). + +NomadPosting currently has one maintainer. Reports involving that maintainer do +not yet have an independent internal escalation path. In that case, use +[GitHub's private abuse-reporting channel](https://support.github.com/contact/report-abuse) +when the conduct is within GitHub's scope. This limitation is documented rather +than promising independence the project cannot currently provide. + +The maintainer will respect the privacy and security of a reporter as far as +reasonably possible. Absolute confidentiality cannot be promised when disclosure +is required by law or needed to prevent imminent harm. + +## Enforcement guidelines + +The maintainer will use these community impact guidelines when determining the +consequences of an action: + +### 1. Correction + +**Community impact:** Use of inappropriate language or other behavior deemed +unprofessional or unwelcome. + +**Consequence:** A private written warning explaining the violation and why the +behavior was inappropriate. A public apology may be requested. + +### 2. Warning + +**Community impact:** A violation through a single incident or series of +actions. + +**Consequence:** A warning with consequences for continued behavior. The person +may be prohibited from interacting with the people involved, including +unsolicited contact with those enforcing this Code of Conduct, for a stated +period. Violating these terms may lead to a temporary or permanent ban. + +### 3. Temporary ban + +**Community impact:** A serious violation of community standards, including +sustained inappropriate behavior. + +**Consequence:** A temporary ban from any interaction or public communication +with the project for a stated period. Violating the ban may lead to a permanent +ban. + +### 4. Permanent ban + +**Community impact:** A pattern of violating community standards, sustained +harassment, aggression toward individuals, or disparagement of classes of +individuals. + +**Consequence:** A permanent ban from public interaction within the project. + +## Attribution + +This Code of Conduct is adapted from the +[Contributor Covenant, version 2.1](https://www.contributor-covenant.org/version/2/1/code_of_conduct/), +available under the +[Creative Commons Attribution 4.0 International license](https://creativecommons.org/licenses/by/4.0/). + +The enforcement ladder was inspired by +[Mozilla's code of conduct enforcement ladder](https://github.com/mozilla/diversity). diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..5cd2202 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,141 @@ +# Contributing to NomadPosting + +NomadPosting welcomes design reviews, tests, documentation, and code that make +its privacy and safety boundaries easier to verify. The repository is a +dry-run research preview. Do not use real platform, VPN, signer, cloud, or user +credentials while developing or testing it. + +Read the [threat model](docs/THREAT_MODEL.md), +[security policy](docs/SECURITY.md), +[verification record](docs/VERIFICATION.md), and +[governance policy](GOVERNANCE.md) before changing behavior. + +## Before opening an issue + +- Use a public issue for reproducible dry-run bugs, non-exploitable design + questions, feature proposals, and threat-model challenges. +- Do not disclose a vulnerability, credential, private account identifier, + production configuration, sensitive packet capture, or exploit path in an + issue. Follow the private process in + [docs/SECURITY.md](docs/SECURITY.md). +- Search existing issues and verification gates before filing a duplicate. +- State what you observed and what evidence would prove the desired result. + +## Contribution terms + +Contributions are accepted under the same +[AGPL-3.0-or-later](LICENSE) terms as the project. The project uses the +[Developer Certificate of Origin 1.1](DCO) and does not require a Contributor +License Agreement or copyright assignment. + +Every commit made after DCO adoption must include a `Signed-off-by:` trailer +matching the commit author. Add it automatically with: + +```sh +git commit -s +``` + +The sign-off certifies the statements in the DCO. It is not a decorative +footer. The name and email become part of permanent public Git history, so use +an identity you are authorized to publish. Every co-author must provide a +matching sign-off. + +If a commit is missing its sign-off, amend or rebase that commit. Do not add a +later commit that purports to sign an earlier one. The `dco / signoff` check +rejects unsigned commits after the adoption point. + +## Development workflow + +1. Start from the current default branch and create a focused topic branch. +2. Add a failing test or reproducible check before fixing a defect when + practical. +3. Keep the change limited to one reviewable purpose. +4. Update every security, threat-model, deployment, and verification claim + affected by the change. +5. Commit with `git commit -s` and open a pull request using the repository + template. + +The Linux security baseline and CI run: + +```sh +gofmt -w ./cmd ./internal +go mod verify +bash ./scripts/check-dco-tests.sh +bash ./scripts/check-licenses.sh +go test -race -count=1 ./... +go vet ./... +go run golang.org/x/vuln/cmd/govulncheck@v1.6.0 ./... +``` + +On Windows, the race detector may require a supported CGO compiler. Run the +non-race test suite locally and treat the pinned Ubuntu CI result as the race +gate. A local build is not evidence that Linux network isolation works. + +## Change standard + +A pull request must: + +- explain the behavior, trust boundary, failure state, and user-visible claim; +- include tests or reproducible evidence proportional to risk; +- preserve fail-closed behavior and the single-account, official-API scope; +- update relevant threat-model, security, deployment, ADR, or verification + documents; +- pass formatting, tests, static analysis, vulnerability, + dependency-license, and DCO checks without bypasses; +- contain no secret, real credential, production VPN configuration, private + account identifier, or unredacted sensitive capture. + +Do not use `--no-verify`, expected-failure markers, swallowed errors, hardcoded +test bypasses, browser or cookie automation, residential proxies, or +enforcement-evasion behavior. Medium-or-higher security or privacy findings +reopen the affected verification work and reset all three production +adversarial rounds. + +## Security-sensitive changes + +Changes affecting authentication, cryptography, secrets, network egress, +signing, platform transports, state reconciliation, logging, retention, +deployment, CI, or release claims require: + +- a named threat and trust boundary; +- negative tests for failure and abuse paths; +- an ADR when the security boundary or accepted residual risk changes; +- independent qualified review before any live release; +- updated evidence in `docs/VERIFICATION.md`. + +The project currently has one maintainer. `CODEOWNERS` routes review but does +not create independent review. No live security gate may be marked complete +until a qualified reviewer other than the change author records evidence. + +## Dependencies + +Before adding or upgrading a dependency, document: + +- standard-library and operating-system alternatives; +- maintenance activity and release provenance; +- direct and transitive footprint; +- license and compatibility; +- published and reachable vulnerabilities; +- build scripts, network behavior, and CI permissions; +- compromise blast radius and a removal or replacement path. + +Record the comparison and decision in the pull request or an ADR. Pin the +selected version, update the dependency-license report, and rerun the license +and vulnerability scanners. No allowlist exception may be added merely to make +CI green. + +## Documentation and claims + +Use present tense only for behavior proven in the current tree. Label designs, +scaffolds, mocks, dry-run modules, and future architecture explicitly. Never +describe a VPN exit country as physical location, promise anonymity, or claim +production readiness without the named release evidence. + +## Review and merge + +Maintainers may request smaller commits, additional tests, an ADR, or a fresh +threat-model review. Required checks and review conversations must resolve +before merge. Security-sensitive work remains blocked from live release until +the independent-review and adversarial-round requirements are satisfied. + +All contributors must follow the [Code of Conduct](CODE_OF_CONDUCT.md). diff --git a/DCO b/DCO new file mode 100644 index 0000000..49b8cb0 --- /dev/null +++ b/DCO @@ -0,0 +1,34 @@ +Developer Certificate of Origin +Version 1.1 + +Copyright (C) 2004, 2006 The Linux Foundation and its contributors. + +Everyone is permitted to copy and distribute verbatim copies of this +license document, but changing it is not allowed. + + +Developer's Certificate of Origin 1.1 + +By making a contribution to this project, I certify that: + +(a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + +(b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + +(c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + +(d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. diff --git a/GOVERNANCE.md b/GOVERNANCE.md new file mode 100644 index 0000000..5390389 --- /dev/null +++ b/GOVERNANCE.md @@ -0,0 +1,122 @@ +# NomadPosting Governance + +This policy describes how decisions are made in the NomadPosting repository. +It does not weaken the license, security policy, or release gates. + +## Current structure + +NomadPosting currently has one active maintainer. That is a bus-factor and +independent-review limitation, not a committee. The current maintainer is +listed in [MAINTAINERS.md](MAINTAINERS.md). + +The roles are: + +- **Contributor:** submits issues, reviews, tests, documentation, or signed-off + code. +- **Reviewer:** provides evidence-backed review in an area of demonstrated + competence. Reviewers do not receive merge or security-advisory access by + default. +- **Maintainer:** triages work, protects repository scope, merges changes, + administers releases, and applies this governance policy. +- **Security maintainer:** can access private advisories, coordinate embargoed + fixes, revoke a release, and restart adversarial verification. + +## Decision process + +Routine decisions are made in public issues and pull requests. Maintainers +should seek rough consensus, name material objections, and record why an option +was chosen. The active maintainer is the tie-breaker while the project has only +one maintainer. + +An ADR is required for changes to: + +- supported accounts, platforms, or public product scope; +- authentication, signing, secret custody, network isolation, or egress policy; +- retention, logging, recovery, or ambiguous-result handling; +- release gates or accepted residual risk; +- project license, contribution terms, or a material dependency. + +Security and privacy claims require reproducible evidence. Popularity, +perception scores, and a successful build are not substitutes. + +## Merge authority + +Maintainers may merge only when required checks pass, review conversations are +resolved, DCO sign-offs are valid, and the change is within documented scope. +An administrator bypass does not turn a failed check into acceptable evidence. + +Security-sensitive changes require qualified review independent of the change +author before they can close a live release gate. Until the project has a +second qualified reviewer, such changes may be merged as disabled or dry-run +scaffolding only when they remain fail closed and are described truthfully. + +## Maintainer selection + +A contributor may be nominated as a maintainer after demonstrating sustained, +constructive work across at least three substantive contributions over at least +90 days. Evidence should include: + +- sound judgment inside the security and anti-evasion boundaries; +- accurate review and documentation; +- timely handling of feedback and conflicts; +- DCO compliance and careful secret handling; +- no unresolved pattern of bypassing release controls. + +The active maintainer records the nomination in a public issue, allows at least +seven days for objections, resolves material concerns, and updates +`MAINTAINERS.md` and `CODEOWNERS` in a reviewed pull request. + +## Inactivity and removal + +A maintainer may mark themselves inactive at any time. A maintainer who has not +participated for 90 days should be asked privately whether they intend to +remain active. Inactivity alone is not misconduct. + +Access may be suspended immediately when credentials, advisories, releases, or +users are at risk. Permanent removal requires a written record of the reason, +an opportunity to respond when safe, and review by every other unconflicted +active maintainer. With only one maintainer, an independent trusted reviewer +should examine any contested removal before it is finalized. + +## Conflicts of interest + +Reviewers and maintainers disclose financial, employment, vendor, or personal +interests that could reasonably affect a decision. A conflicted person should +not be the sole approver for dependency selection, vendor onboarding, +vulnerability handling, or enforcement involving that interest. + +## Security authority + +Security advisory access is limited to active security maintainers and invited +specialists who need the information. The security maintainer may stop a +release, revoke compromised artifacts, rotate credentials, coordinate private +fixes, and reset required adversarial rounds. + +Private vulnerability information is published only through coordinated +disclosure. A fixed network-served version must make its corresponding source +available no later than user-facing deployment under the AGPL. + +## License and contribution terms + +NomadPosting uses `AGPL-3.0-or-later`, DCO 1.1, contributor-retained copyright, +and no CLA. The DCO confirms provenance and the right to submit. It does not +assign copyright or give the project unilateral proprietary relicensing power. + +A license change requires: + +1. a public ADR explaining user-freedom, compatibility, contributor, patent, + and sustainability effects; +2. approval from every copyright holder whose permission is legally required; +3. a complete dependency-license review; +4. a migration plan that does not misstate or revoke rights already granted. + +## Succession + +Maintainers should keep recovery access, release procedures, and security +contacts current without storing secrets in the repository. If the sole +maintainer can no longer serve, they should nominate a successor through a +public governance issue and transfer sensitive access privately after identity +verification. + +If no maintainer remains, the repository is unmaintained. No contributor may +imply official maintainer or release authority merely by publishing a fork. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..be3f7b2 --- /dev/null +++ b/LICENSE @@ -0,0 +1,661 @@ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. + + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. + + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. + + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU Affero General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +. diff --git a/MAINTAINERS.md b/MAINTAINERS.md new file mode 100644 index 0000000..564dd2b --- /dev/null +++ b/MAINTAINERS.md @@ -0,0 +1,26 @@ +# Maintainers + +## Active maintainers + +| Maintainer | Areas | Security role | Status | +|---|---|---|---| +| [@s00ly](https://github.com/s00ly) | Repository, architecture, documentation, CI, releases | Private advisory triage and emergency release authority | Active | + +NomadPosting currently has one maintainer. `CODEOWNERS` routes review to that +maintainer but does not create independent review. Live security gates remain +blocked until a qualified reviewer other than the change author records the +required evidence. + +## Contact boundaries + +- Report vulnerabilities through + [GitHub Private Vulnerability Reporting](https://github.com/s00ly/nomadposting/security/advisories/new). +- Report Code of Conduct matters privately to + [yloos@protonmail.com](mailto:yloos@protonmail.com). +- Do not use either reporting channel for the other channel's purpose. +- Do not send credentials, VPN configurations, signer secrets, private account + identifiers, or unredacted captures unless a maintainer explicitly requests + the minimum necessary material through an appropriate private channel. + +Maintainer nomination, inactivity, removal, conflicts, and succession are +defined in [GOVERNANCE.md](GOVERNANCE.md). diff --git a/Makefile b/Makefile index 2d0753b..dcebb1d 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: build test vet format-check vuln sbom verify +.PHONY: build test vet format-check dco-test license vuln sbom verify build: go build -trimpath -o bin/ivpn-controller ./cmd/ivpn @@ -13,6 +13,12 @@ vet: format-check: @test -z "$$(gofmt -l ./cmd ./internal)" +dco-test: + bash ./scripts/check-dco-tests.sh + +license: + bash ./scripts/check-licenses.sh + vuln: go run golang.org/x/vuln/cmd/govulncheck@v1.6.0 ./... @@ -20,4 +26,4 @@ sbom: mkdir -p dist go list -m -json all > dist/go-modules.sbom.json -verify: format-check test vet vuln sbom +verify: format-check dco-test test vet license vuln sbom diff --git a/README.md b/README.md index f4072f4..4dcaa5b 100644 --- a/README.md +++ b/README.md @@ -1,83 +1,207 @@ -# iVPN private cross-poster +
-iVPN is a single-operator Go control plane for approving one exact text payload for X, Nostr, or both. It is designed around fail-closed egress, private routing metadata, and honest location semantics. +# NomadPosting -**Current safety state: dry-run only.** The application refuses `IVPN_DRY_RUN=false`. X OAuth, the official X create-post connector, NIP-46 boundaries, Nostr quorum logic, country selection, the broker contract, and infrastructure topology exist, but real Linux namespace execution is deliberately disabled until packet-capture evidence proves there is no direct fallback. +**Building a cross-poster that fails closed.** -VPN egress changes network origin. It does not hide X credentials, a Nostr pubkey, content, timing, or account identity, and the app never claims the operator was physically in an exit country. +[![verify](https://github.com/s00ly/nomadposting/actions/workflows/ci.yml/badge.svg)](https://github.com/s00ly/nomadposting/actions/workflows/ci.yml) -## What is implemented +Proof-oriented cross-posting research for Nostr and X, written in Go. -- Go 1.26.5 control plane with server-rendered HTML and SQLite WAL. -- Two-passkey production readiness policy, WebAuthn ceremonies, strict sessions, and CSRF checks. -- AES-256-GCM envelope encryption with a fresh data key per draft, auth record, receipt, audit event, and X OAuth token record. -- One-time offline recovery-code rotation and failure rate limiting; the code is shown only when generated. -- Exact normalized-payload preview, SHA-256 approval binding, optional scheduling, cancellation, emergency stop, and manual reconciliation without blind resend. -- Official `POST https://api.x.com/2/tweets` connector, fixed endpoint, no `geo`, bounded responses, one refresh after a definitive 401, 429 reset handling, and `UNKNOWN` on ambiguous transport results. -- OAuth 2.0 Authorization Code with S256 PKCE using only `tweet.read`, `tweet.write`, `users.read`, and `offline.access`; encrypted token persistence and official revocation. -- NIP-01 canonical event IDs, NIP-46 kind restrictions, NIP-42 relay/challenge binding, one signature reused across three reviewed relays, and a two-relay quorum. -- CSPRNG Nostr country selection, no adjacent country repeat, three-country minimum, and a fixed France policy for X. -- Registry-only broker requests. Arbitrary commands, routes, paths, addresses, and shell fragments are not representable. -- Orange, purple, and graphite-gray cypherpunk UI with system fonts, visible focus, reduced motion, label-plus-color states, and no pre-dispatch country disclosure. -- Seven-day deletion of resolved job metadata and receipts while unresolved `UNKNOWN` and `PARTIAL` jobs remain available for reconciliation. +[Threat model](docs/THREAT_MODEL.md) · [Security policy](docs/SECURITY.md) · [Verification record](docs/VERIFICATION.md) · [Deployment boundary](deploy/DEPLOYMENT.md) · [Contributing](CONTRIBUTING.md) · [Governance](GOVERNANCE.md) -## Architecture +
+ +> [!CAUTION] +> **Research preview: dry-run only.** NomadPosting cannot publish posts or protect live credentials today. The controller rejects `IVPN_DRY_RUN=false`, and the privileged network executor is deliberately disabled until Linux packet captures prove zero direct fallback. Do not use real credentials. + +NomadPosting is a security-first control plane for approving one exact text payload for Nostr, X, or both. The design aims to route each platform through policy-bound VPN egress without turning failure, ambiguity, or exit-country metadata into false privacy claims. + +We are hardening the design in public so privacy engineers, Linux networking specialists, Nostr implementers, Go reviewers, accessibility experts, and adversarial testers can turn explicit release gates into reproducible proof. + +## Why this exists + +Cross-posting is easy. Proving that a publisher did not escape a failed VPN, duplicate an ambiguous request, leak credentials into logs, or imply a false physical location is harder. + +NomadPosting turns those failure modes into explicit state transitions, testable security properties, and release gates. Freedom technology should make fewer promises and provide better evidence. + +## Privacy boundary + +A VPN changes network origin, not identity. X credentials, a Nostr public key, content, timing, VPN-provider metadata, and public activity remain correlatable. An exit country is routing metadata, never proof of the operator's physical location. + +| The design aims to | It does not promise | +|---|---| +| Bind human approval to the exact payload and destinations | Anonymity, unlinkability, or untraceability | +| Fail closed when an isolated tunnel or route is unhealthy | Protection from a compromised host, signer, gateway, or VPN provider | +| Keep future Nostr country choices private | A physical-location claim or false geotag | +| Preserve `UNKNOWN` after ambiguous delivery instead of blindly resending | Atomic publication or rollback across X and Nostr | +| Keep X on one stable, dedicated exit | Platform-enforcement, rate-limit, or geographic-control evasion | + +There is no browser posting, cookie reuse, CAPTCHA handling, residential proxy support, account fleet, or error-triggered IP switching. + +## Current status + +| Area | State | +|---|---| +| Approval, scheduling, encrypted content, audit, cancellation, and emergency stop | Implemented and tested | +| X and Nostr protocol/state modules | Implemented for dry-run verification; not wired to live transports | +| Nostr country-selection policy and typed broker boundary | Implemented and tested | +| Linux network namespaces, WireGuard, nftables, and validating DNS | Not implemented | +| Broker-backed dispatcher and live publication | Intentionally disabled | +| Production readiness | **No** | + +The exact evidence, limitations, and unresolved gates are recorded in the [verification record](docs/VERIFICATION.md). + +## Help harden NomadPosting + +This project needs reviewers more than cheerleaders. + +| Priority | Work that needs proof | +|---|---| +| P0 | Per-attempt Linux network namespaces, WireGuard, nftables, validating DNS, teardown, and physical-interface packet captures under tunnel loss | +| P0 | Broker-backed dispatcher with platform-pinned HTTP and WebSocket transports | +| P0 | Concrete NIP-46 transport, signer binding, permission enforcement, and BIP-340/Schnorr verification | +| P1 | Crash recovery and same-exit X reconciliation without blind duplicates | +| P1 | TPM or operating-system key sealing and encryption of currently plaintext operational indexes | +| P1 | NIP-11/NIP-65 relay review, X weighted-length conformance, and provisioned gateway health checks | +| P2 | Complete keyboard, screen-reader, 200% zoom, reduced-motion, and visual-regression testing | + +Good starting points: + +- challenge a trust boundary or untested assumption in the [threat model](docs/THREAT_MODEL.md); +- reproduce one of the [code-level adversarial rounds](docs/VERIFICATION.md#code-level-adversarial-rounds); +- turn a release blocker into a failing-before, passing-after test; +- review the egress selector, state machine, secret handling, or accessible UI without using live credentials. + +Every privacy claim needs a named threat, a trust boundary, and a reproducible test. Medium-or-higher findings reopen the affected adversarial rounds. No `xfail`, `--no-verify`, swallowed errors, hardcoded bypasses, or unpinned dependencies. + +## Target architecture + +Purple nodes exist in the dry-run codebase. Orange dashed nodes are blocked release work. ```mermaid flowchart LR B["Management-VPN browser"] --> C["Unprivileged Go controller"] - C --> D["Encrypted SQLite WAL"] - C --> S["NIP-46 remote signer"] - C --> K["Root-owned broker socket"] - K --> X["Pinned France namespace for X"] - K --> N["Random eligible namespace for Nostr"] - X --> XA["Official X API"] - N --> R["Three reviewed wss relays"] + C --> D["SQLite WAL + envelope-encrypted sensitive records"] + C --> P["Testable X and Nostr protocol modules"] + C --> K["Typed broker boundary"] + P -. "transport missing" .-> S["NIP-46 signer"] + K -. "executor missing" .-> N["Fresh network namespace + WireGuard"] + N -.-> X["Dedicated France exit → official X API"] + N -.-> R["Random eligible Nostr exit → configured relays"] + + classDef built fill:#211F28,stroke:#9B6DFF,color:#ECEAF0,stroke-width:2px; + classDef gate fill:#17161C,stroke:#FF731A,color:#ECEAF0,stroke-width:2px,stroke-dasharray:5 4; + class B,C,D,P,K built; + class S,N,X,R gate; ``` -The target diagram is not a claim that the disabled namespace executor is complete. See [deployment gates](deploy/DEPLOYMENT.md) and the [threat model](docs/THREAT_MODEL.md). +The diagram is a target, not a deployment claim. X is intentionally pinned to one stable France exit. Only Nostr is designed for country rotation, and production rotation still depends on the missing isolation proof. -## Local dry-run +
+What you can audit today -Install Go 1.26.5, then in PowerShell: +- Go 1.26.5 server-rendered control plane with SQLite WAL. +- Two-passkey WebAuthn policy, CSRF-bound sessions, offline recovery-code rotation, and rate limiting. +- AES-256-GCM envelope encryption for content, credentials, OAuth tokens, receipts, auth records, and audit details. Job state, timestamps, destination flags, and payload hashes remain plaintext indexes. +- Exact normalized-payload preview and SHA-256 approval binding across content, destinations, and schedule. +- Explicit `DRAFT → APPROVED → ROUTING → PUBLISHING → COMPLETE | PARTIAL | FAILED | UNKNOWN` transitions. +- Testable official X API and OAuth 2.0 PKCE modules with fixed endpoints, bounded responses, no `geo`, one refresh after a definitive 401, and no automatic resend after an ambiguous transmission. +- NIP-01 event construction, NIP-46 kind restrictions, NIP-42 challenge binding, exact signed-event reuse, three configured relay identities, and modeled two-ack quorum. Production relay review and onboarding are not implemented. +- CSPRNG Nostr country selection, no adjacent-country repeat, three-healthy-country minimum, independent endpoint selection, and stable X egress policy. +- Registry-only broker requests: arbitrary commands, paths, routes, addresses, and shell fragments are not representable. +- Orange, purple, and graphite-gray cypherpunk UI with visible focus, reduced motion, label-plus-color states, and no pre-dispatch country disclosure. + +
+ +## Five-minute dry run + +Requirements: [Go 1.26.5](https://go.dev/doc/install) and a local browser. This mode is for UI and state-flow review only. + +### Linux or macOS + +```sh +git clone https://github.com/s00ly/nomadposting.git +cd nomadposting + +export IVPN_MASTER_KEY="$(go run ./cmd/ivpn --generate-master-key)" +export IVPN_DEV_MODE=true +export IVPN_ORIGIN=http://localhost:8443 +export IVPN_RPID=localhost +export IVPN_DRY_RUN=true + +go run ./cmd/ivpn +``` + +### PowerShell ```powershell -go build -o bin/ivpn.exe ./cmd/ivpn -$env:IVPN_MASTER_KEY = (& .\bin\ivpn.exe --generate-master-key) +git clone https://github.com/s00ly/nomadposting.git +Set-Location nomadposting + +$env:IVPN_MASTER_KEY = (& go run ./cmd/ivpn --generate-master-key) $env:IVPN_DEV_MODE = 'true' $env:IVPN_ORIGIN = 'http://localhost:8443' $env:IVPN_RPID = 'localhost' $env:IVPN_DRY_RUN = 'true' -.\bin\ivpn.exe -``` -Open `http://127.0.0.1:8443`. Development mode bypasses passkey enforcement so local UI and state flows can be inspected. It must never be used for live credentials or publishing. +go run ./cmd/ivpn +``` -Production configuration also requires TLS certificate/key paths, a random bootstrap token of at least 32 characters, an HTTPS origin, and host/TPM-backed secret delivery. Prefer `IVPN_MASTER_KEY_FILE` and `IVPN_BOOTSTRAP_TOKEN_FILE`; the app rejects relative, oversized, symlinked, or group/world-readable files on Linux. `.env` files are excluded from Git and are not an approved production secret store. +Open . Development mode bypasses passkey enforcement and must never be used with live credentials. Runtime data is written under the ignored `data/` directory. -`IVPN_X_ESTIMATED_CHARGE` is operator-supplied from the account's current X billing portal. If absent, the approval preview says the estimate is unavailable. The code does not invent a price. +The `IVPN_*` prefix is a legacy internal name in the prototype configuration and is expected to change before a release. -## Verification +## Verify the code ```sh go mod verify -go test -race -count=1 ./... +go test -count=1 ./... go vet ./... go run golang.org/x/vuln/cmd/govulncheck@v1.6.0 ./... ``` -The CI workflow pins its GitHub Actions to exact upstream tag commits and pins govulncheck to v1.6.0. See [verification evidence and unresolved gates](docs/VERIFICATION.md). +GitHub Actions additionally runs the race detector on Ubuntu and generates a module inventory for SBOM input. Actions and scanner versions are pinned in [`.github/workflows/ci.yml`](.github/workflows/ci.yml). + +## Report a vulnerability + +Do not put exploitable details, credentials, VPN configuration, account identifiers, or canary values in a public issue. Use [GitHub Private Vulnerability Reporting](https://github.com/s00ly/nomadposting/security/advisories/new). Public issues are appropriate for non-exploitable design questions, threat-model challenges, and hardening proposals. + +No production release exists. Reports against `main` are accepted. Read the [security policy](docs/SECURITY.md) before testing. + +## Project principles + +- **Fail closed.** Missing proof disables live behavior. +- **Approval is exact.** Any payload or destination change invalidates consent. +- **Ambiguity is a state.** A timeout after transmission is not permission to resend. +- **Location is not identity.** Exit-country metadata never becomes a physical-presence claim. +- **Official protocols only.** No browser automation, session-cookie reuse, or platform-control workarounds. +- **Evidence over adjectives.** Builds are useful; packet captures, fault injection, and reproducible negative tests are release evidence. + +## Documentation map + +- [Threat model](docs/THREAT_MODEL.md): assets, actors, trust boundaries, abuse cases, and adversarial rounds +- [Security policy](docs/SECURITY.md): normative controls, secret handling, logging, retention, and release gates +- [Verification record](docs/VERIFICATION.md): passed checks, known findings, and explicit NO-GO decisions +- [Dependency license review](docs/DEPENDENCY_LICENSES.md): transitive license evidence and scanner decision record +- [Deployment boundary](deploy/DEPLOYMENT.md): disabled broker and Linux release gate +- [Architecture decisions](docs/adr): product boundary, location ethics, and retention +- [Infrastructure topology](infra/README.md): credential-free OpenTofu manifest, not provisioned infrastructure +- [Governance](GOVERNANCE.md): decision, maintainer, security-authority, and succession rules +- [Maintainers](MAINTAINERS.md): current ownership and bus-factor status +- [Code of Conduct](CODE_OF_CONDUCT.md): community standards and private enforcement contact +- [Name and provenance](BRAND_POLICY.md): accurate fork and official-build representation + +## License and contributions -## Production blockers +NomadPosting is licensed under the [GNU Affero General Public License, +version 3 or later](LICENSE), identified by SPDX as `AGPL-3.0-or-later`. +Modified versions used to provide network interaction must offer their +corresponding source to those users as required by the license. -- No reviewed Linux namespace/WireGuard/nftables executor yet. -- No packet-capture proof for tunnel removal during DNS, TLS, OAuth refresh, signing, transmit, or response handling. -- No broker-backed dispatcher or pinned per-platform network transports. Approved jobs remain queued, and X OAuth/publishing stays unavailable. -- No provisioned cloud gateways, validating resolvers, static IP verification, or provider budget alerts. -- No concrete NIP-46 transport or BIP-340/Schnorr verification adapter. -- No TPM/host-secret-store sealing adapter; strict secret-file loading alone is not sealing. -- Exact job state, timestamps, destination flags, and payload hashes remain plaintext SQLite indexes; other sensitive records are envelope-encrypted. -- No live X reconciliation worker, live relay review, complete accessibility audit, or seven-day canary. -- No tested-account evidence or written X clarification for per-post country rotation. X remains pinned to France by policy. +Contributions use the same license and the [Developer Certificate of Origin +1.1](DCO). Every commit requires an author-matching `Signed-off-by:` trailer. +The project requires neither a CLA nor copyright assignment. See +[CONTRIBUTING.md](CONTRIBUTING.md) before submitting changes. -These are fail-closed blockers, not follow-up polish. Live mode stays disabled until all release gates in [SECURITY.md](docs/SECURITY.md) pass three clean adversarial rounds. +If this threat model matters to you, star the repository so more privacy and security reviewers can find the work. diff --git a/docs/DEPENDENCY_LICENSES.md b/docs/DEPENDENCY_LICENSES.md new file mode 100644 index 0000000..eaa0c39 --- /dev/null +++ b/docs/DEPENDENCY_LICENSES.md @@ -0,0 +1,69 @@ +# Dependency License Review + +Date: 2026-07-15 + +NomadPosting is licensed under `AGPL-3.0-or-later`. This review covers every Go +module used by `./...` at the versions pinned in `go.mod` and `go.sum`. +Permitted dependency licenses are `Apache-2.0`, `BSD-2-Clause`, +`BSD-3-Clause`, and `MIT`; each is compatible with GPLv3-family distribution. +The project license itself is also allowed as `AGPL-3.0` because license-text +classifiers cannot encode the separate "or later" grant stated in the README. +Compatibility was cross-checked against the GNU project's +[license list](https://www.gnu.org/licenses/license-list.html). + +## Automated evidence + +Run: + +```sh +bash ./scripts/check-licenses.sh +``` + +The script pins `google/go-licenses` at `v2.0.1` and rejects every unapproved or +unknown detected license. There are no ignored modules or license exceptions. + +## Reviewed modules + +| License | Modules | +|---|---| +| Apache-2.0 | `github.com/google/go-tpm v0.9.8` | +| BSD-2-Clause | `github.com/go-webauthn/x v0.2.6` includes the `revoke` package under this license | +| BSD-3-Clause | `github.com/go-webauthn/webauthn v0.17.4`, the remaining used packages from `github.com/go-webauthn/x v0.2.6`, `github.com/google/uuid v1.6.0`, `github.com/remyoudompheng/bigfft` at `24d4a6f8daec`, `golang.org/x/crypto v0.52.0`, `golang.org/x/sys v0.45.0`, `modernc.org/libc v1.73.4`, `modernc.org/mathutil v1.7.1`, `modernc.org/memory v1.11.0`, `modernc.org/sqlite v1.53.0` | +| MIT | `github.com/dustin/go-humanize v1.0.1`, `github.com/fxamacker/cbor/v2 v2.9.2`, `github.com/go-viper/mapstructure/v2 v2.5.0`, `github.com/golang-jwt/jwt/v5 v5.3.1`, `github.com/mattn/go-isatty v0.0.20`, `github.com/ncruces/go-strftime v1.0.0`, `github.com/philhofer/fwd v1.2.0`, `github.com/tinylib/msgp v1.6.4`, `github.com/x448/float16 v0.8.4` | + +`modernc.org/libc` also carries notices for incorporated Go, musl, go-netdb, +and NixOS/nixpkgs material under BSD-style, MIT, or public-domain terms. The +SQLite material included by `modernc.org/sqlite` is public domain. No reviewed +dependency imposes a copyleft term that conflicts with AGPL distribution. + +Any dependency or scanner update requires a fresh report and manual review of +new, changed, unknown, or multi-license results. + +## Scanner decision record + +The scanner is a CI-only build tool. It is not linked into NomadPosting or its +release artifacts. + +| Option | Coverage | Reproducibility | Supply-chain exposure | Score | +|---|---:|---:|---:|---:| +| [`google/go-licenses v2.0.1`](https://github.com/google/go-licenses) | 4/5 | 4/5 | 3/5 | **11/15** | +| GitHub enterprise license policy | 4/5 | 2/5 | 4/5 | 10/15 | +| Manual review only | 2/5 | 2/5 | 5/5 | 9/15 | +| New custom classifier | 2/5 | 3/5 | 4/5 | 9/15 | + +Decision: use `google/go-licenses v2.0.1` with no exceptions. It provides +locally reproducible transitive analysis without requiring an enterprise +GitHub feature. Version 1.6.0 was rejected after its binary vulnerability scan +found 17 reachable vulnerabilities, including legacy `go-git` path-traversal +and remote-code-execution advisories. The selected v2.0.1 binary scan found zero +reachable vulnerabilities; nine module-level advisories were present only in +code paths the binary does not call. A custom classifier would create more +security and maintenance risk than it removes. + +Blast radius: the scanner executes third-party Go code during CI and can read +the checked-out repository and make network requests while Go downloads its +pinned modules. Controls are an exact released version, public Go checksum +verification, a read-only workflow token, disabled checkout credentials, no CI +secrets, a strict license allowlist, and a five-minute step within the existing +twenty-minute job. Replace or remove the scanner if it becomes unmaintained or +its binary vulnerability scan gains a reachable finding. diff --git a/docs/SECURITY.md b/docs/SECURITY.md index 05a3ce5..fb74a8e 100644 --- a/docs/SECURITY.md +++ b/docs/SECURITY.md @@ -1,13 +1,68 @@ # Security Requirements and Operating Policy -This document defines the minimum security posture for iVPN. It is normative for implementation and release. These are requirements, not evidence that a deployment satisfies them. The fuller threat analysis is in [THREAT_MODEL.md](THREAT_MODEL.md). +This document defines the minimum security posture for NomadPosting. It is normative for implementation and release. These are requirements, not evidence that a deployment satisfies them. The fuller threat analysis is in [THREAT_MODEL.md](THREAT_MODEL.md). ## Supported use -iVPN supports one operator publishing approved content to one X account through a dedicated France exit and one Nostr identity through rotating, allowlisted VPN countries. It is a source-IP privacy tool, not an anonymity system or an enforcement-evasion tool. +NomadPosting supports one operator publishing approved content to one X account through a dedicated France exit and one Nostr identity through rotating, allowlisted VPN countries. It is a source-IP privacy tool, not an anonymity system or an enforcement-evasion tool. The implementation must not support account fleets, third-party accounts, platform limit circumvention, browser automation of X, session-cookie reuse, misleading location claims, or silent network fallback. +## Supported versions and official scope + +| Version | Security support | Live status | +|---|---|---| +| `main` | Accepted for private vulnerability reports | Dry-run research preview only | +| Tagged releases | None exist | Unsupported | +| Forks and third-party deployments | Controlled by their operators | Not official or certified by this project | + +This policy governs the `s00ly/nomadposting` repository and artifacts explicitly +published from it. It does not add a restriction to the AGPL or certify a fork. +The [name and provenance policy](../BRAND_POLICY.md) describes accurate use of +project identity. + +No live deployment is supported. A report showing that a missing live feature +is missing is not a vulnerability unless dry-run behavior creates a separate +security impact. Reports that challenge a release assumption are welcome when +they follow the research boundaries below. + +## Vulnerability reporting and research boundaries + +Use [GitHub Private Vulnerability Reporting](https://github.com/s00ly/nomadposting/security/advisories/new) +for exploitable details. Public issues are appropriate only for +non-exploitable design questions, threat-model hypotheses, and hardening +proposals. + +This project can authorize research only against its own code and +maintainer-controlled disposable environments. It does not authorize testing +against X, Nostr relays, VPN providers, cloud providers, accounts, networks, or +other third-party systems. Obtain separate permission from each owner. + +When testing this project: + +- use synthetic data, disposable keys, local fixtures, and test accounts you + own; +- do not access another person's data, credentials, account, or traffic; +- do not use denial of service, social engineering, persistence, credential + harvesting, or automated scanning of public infrastructure; +- stop when a test could affect availability, disclose data, or leave the + disposable environment; +- retain only the minimum sanitized evidence needed to reproduce the issue and + delete sensitive research artifacts after coordination. + +There is no bug bounty, guaranteed safe harbor, or response-time SLA. The +maintainer targets acknowledgement within seven calendar days and an initial +severity assessment within fourteen. These are best-effort targets. Reporter +credit is offered only with the reporter's consent. + +For security-sensitive fixes, use a GitHub draft advisory and its private fork. +Do not open a public issue or pull request containing exploit details before +coordinated disclosure. The maintainer decides whether an advisory or CVE is +appropriate based on affected users and release state. Under the AGPL, source +for a modified network-served fix must be available to remote users no later +than deployment of that fix. Corresponding source never includes production +credentials or private operational configuration. + ## Mandatory architecture - Linux is the security baseline for the first release. @@ -160,7 +215,24 @@ On suspected token, signer, or VPN-key compromise: 6. Correct the root cause, not only the exposed credential. 7. Rerun all three adversarial rounds before restoring unattended operation. -Do not place real secrets in a public issue. Until a private reporting channel is published, use the repository host's private security-advisory mechanism if available and share only redacted reproduction details. +Do not place real secrets or exploitable details in a public issue. Use [GitHub Private Vulnerability Reporting](https://github.com/s00ly/nomadposting/security/advisories/new) and share only the minimum redacted reproduction material needed to investigate. No production release exists; reports against `main` are accepted. Public issues are appropriate for non-exploitable design questions and hardening proposals. + +## Security-maintainer authority + +The active security maintainer is listed in +[MAINTAINERS.md](../MAINTAINERS.md). The project currently has one security +maintainer, which is an explicit bus-factor limitation. + +The security maintainer may access private advisories, invite a minimum set of +qualified reviewers, merge embargoed fixes, stop publication, revoke +compromised artifacts, coordinate disclosure, and require credential rotation. +Any medium-or-higher finding resets the affected verification work and all +three production adversarial rounds. No administrator may waive that reset by +merging, changing a label, or editing the verification record. + +Code of Conduct reports use the separate private channel defined in +[CODE_OF_CONDUCT.md](../CODE_OF_CONDUCT.md). Vulnerability reporting must not be used for +interpersonal or community-moderation complaints. ## Release gates diff --git a/docs/VERIFICATION.md b/docs/VERIFICATION.md index 5056c9a..4f516af 100644 --- a/docs/VERIFICATION.md +++ b/docs/VERIFICATION.md @@ -1,6 +1,6 @@ # Verification Record -Date: 2026-07-14 +Date: 2026-07-16 This record separates code-level evidence from production network evidence. The repository is a dry-run control plane and safety scaffold. It is not a working @@ -11,13 +11,17 @@ VPN cross-poster, and live mode is deliberately rejected at configuration load. | Check | Result | Evidence | |---|---|---| | Go version | PASS | Pinned Go 1.26.5 toolchain used for every command below. | +| Project license | PASS | `LICENSE` matches the canonical GNU AGPL v3 text; the README applies `AGPL-3.0-or-later`. `DCO` matches the canonical DCO 1.1 text. Both comparisons normalized line endings only. | +| DCO enforcement | PASS | `scripts/check-dco-tests.sh` accepted signed author and co-author fixtures; rejected unsigned authors, unsigned co-authors, unsigned post-adoption commits, and an empty range; and proved that commits predating DCO adoption are not retroactively rejected. The real branch range also passed from the DCO adoption boundary. Both pinned workflows run the self-tests. | +| Community governance | PASS LOCALLY | Relative Markdown links resolve. Governance, maintainer, conduct, brand, contribution, ownership, issue-form, pull-request, and security-reporting policies are present and agree on the single-maintainer and dry-run boundaries. Remote GitHub detection and workflow evidence are required after push. | +| Dependency licenses | PASS | `bash ./scripts/check-licenses.sh` accepted only AGPL-3.0, Apache-2.0, BSD-2-Clause, BSD-3-Clause, and MIT with no ignored modules or exceptions. See [DEPENDENCY_LICENSES.md](DEPENDENCY_LICENSES.md). | | Formatting | PASS | `gofmt -d cmd internal` returned no diff. | | Module integrity | PASS | `go mod verify` returned `all modules verified`. | | Complete test suite | PASS | `go test -count=1 ./...` and a final `go test -count=3 ./...` passed all 10 packages. The repository contains 59 named tests. | | Static analysis | PASS | `go vet ./...` returned no findings. | | Reachable vulnerability scan | PASS WITH NOTE | `govulncheck v1.6.0` found zero symbol- or package-level vulnerabilities. See dependency note below. | | Linux build | PASS | Both `cmd/ivpn` and `cmd/netbroker` cross-built for `linux/amd64` with `CGO_ENABLED=0` and `-trimpath`. | -| Race detector | NOT RUN LOCALLY | This Windows environment has no CGO compiler. `go test -race` correctly failed with `-race requires cgo`. The pinned Ubuntu CI workflow is the required race gate, but no remote CI result exists yet. | +| Race detector | PASS IN CI; NOT RUN LOCALLY | This Windows environment has no CGO compiler. `go test -race` correctly failed locally with `-race requires cgo`. The pinned Ubuntu workflow passed the race suite in [run 29382281777](https://github.com/s00ly/nomadposting/actions/runs/29382281777). | | OpenTofu validation | NOT RUN | OpenTofu is not installed in this environment. The infrastructure directory is a topology manifest, not resource definitions. | ## Code-level adversarial rounds diff --git a/scripts/check-dco-tests.sh b/scripts/check-dco-tests.sh new file mode 100755 index 0000000..e10eed6 --- /dev/null +++ b/scripts/check-dco-tests.sh @@ -0,0 +1,81 @@ +#!/usr/bin/env bash +set -euo pipefail + +script_dir=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd) +checker="${script_dir}/check-dco.sh" +fixture=$(mktemp -d) +trap 'rm -rf "$fixture"' EXIT + +git -C "$fixture" init --quiet +git -C "$fixture" config user.name "Test Author" +git -C "$fixture" config user.email "author@example.invalid" +git -C "$fixture" config core.autocrlf false + +run_check() { + (cd "$fixture" && bash "$checker" "$@") +} + +printf 'root\n' >"${fixture}/fixture.txt" +git -C "$fixture" add fixture.txt +git -C "$fixture" commit --quiet -m "Root fixture" +base=$(git -C "$fixture" rev-parse HEAD) + +printf 'before adoption\n' >>"${fixture}/fixture.txt" +git -C "$fixture" add fixture.txt +git -C "$fixture" commit --quiet -m "Unsigned pre-adoption fixture" +pre_adoption=$(git -C "$fixture" rev-parse HEAD) + +if run_check "$base" "$pre_adoption" >/dev/null 2>&1; then + echo "DCO test failure: a range without DCO unexpectedly passed" >&2 + exit 1 +fi + +cp "${script_dir}/../DCO" "${fixture}/DCO" +git -C "$fixture" add DCO +git -C "$fixture" commit --quiet --signoff -m "Adopt DCO" +adoption=$(git -C "$fixture" rev-parse HEAD) + +run_check "$base" "$adoption" >/dev/null + +printf 'signed\n' >>"${fixture}/fixture.txt" +git -C "$fixture" add fixture.txt +git -C "$fixture" commit --quiet --signoff -m "Signed fixture" +signed=$(git -C "$fixture" rev-parse HEAD) + +run_check "$adoption" "$signed" >/dev/null + +printf 'coauthored\n' >>"${fixture}/fixture.txt" +git -C "$fixture" add fixture.txt +git -C "$fixture" commit --quiet --signoff \ + -m "Unsigned co-author fixture" \ + -m "Co-authored-by: Co Author " +unsigned_coauthor=$(git -C "$fixture" rev-parse HEAD) + +if run_check "$signed" "$unsigned_coauthor" >/dev/null 2>&1; then + echo "DCO test failure: an unsigned co-author unexpectedly passed" >&2 + exit 1 +fi + +git -C "$fixture" commit --quiet --amend \ + -m "Signed co-author fixture" \ + -m $'Signed-off-by: Test Author \nCo-authored-by: Co Author \nSigned-off-by: Co Author ' +signed_coauthor=$(git -C "$fixture" rev-parse HEAD) + +run_check "$signed" "$signed_coauthor" >/dev/null + +printf 'unsigned after adoption\n' >>"${fixture}/fixture.txt" +git -C "$fixture" add fixture.txt +git -C "$fixture" commit --quiet -m "Unsigned post-adoption fixture" +unsigned=$(git -C "$fixture" rev-parse HEAD) + +if run_check "$signed_coauthor" "$unsigned" >/dev/null 2>&1; then + echo "DCO test failure: an unsigned post-adoption commit unexpectedly passed" >&2 + exit 1 +fi + +if run_check "$signed" "$signed" >/dev/null 2>&1; then + echo "DCO test failure: an empty range unexpectedly passed" >&2 + exit 1 +fi + +echo "DCO self-tests passed." diff --git a/scripts/check-dco.sh b/scripts/check-dco.sh new file mode 100755 index 0000000..452ea17 --- /dev/null +++ b/scripts/check-dco.sh @@ -0,0 +1,101 @@ +#!/usr/bin/env bash +set -euo pipefail + +if [[ $# -ne 2 ]]; then + echo "usage: $0 " >&2 + exit 2 +fi + +base=$1 +head=$2 + +git rev-parse --verify "${base}^{commit}" >/dev/null +git rev-parse --verify "${head}^{commit}" >/dev/null + +if ! git merge-base --is-ancestor "$base" "$head"; then + echo "DCO failure: base ${base} is not an ancestor of head ${head}" >&2 + exit 1 +fi + +if ! git cat-file -e "${head}:DCO" 2>/dev/null; then + echo "DCO failure: head ${head} does not contain the DCO policy" >&2 + exit 1 +fi + +range="${base}..${head}" + +# A pull request that adopts the DCO cannot retroactively certify earlier +# commits. Start enforcement at the first commit in the range that introduces +# the DCO file. Once the base branch contains DCO, every new commit is checked. +if ! git cat-file -e "${base}:DCO" 2>/dev/null; then + adoption=$(git rev-list --reverse "$range" -- DCO) + adoption=${adoption%%$'\n'*} + if [[ -z "$adoption" ]]; then + echo "DCO failure: no DCO adoption commit found in ${range}" >&2 + exit 1 + fi + + adoption_parent=$(git rev-parse "${adoption}^" 2>/dev/null || true) + if [[ -n "$adoption_parent" ]]; then + range="${adoption_parent}..${head}" + else + range="$head" + fi + + echo "DCO adoption detected at ${adoption}; earlier commits are outside the policy." +fi + +failed=0 +checked=0 + +while IFS= read -r commit; do + [[ -n "$commit" ]] || continue + checked=$((checked + 1)) + + author_name=$(git show -s --format=%an "$commit") + author_email=$(git show -s --format=%ae "$commit") + expected="${author_name} <${author_email}>" + required=("$expected") + signoffs=() + + while IFS= read -r trailer; do + key=${trailer%%:*} + value=${trailer#*:} + value=${value#"${value%%[![:space:]]*}"} + + case "${key,,}" in + co-authored-by) + required+=("$value") + ;; + signed-off-by) + signoffs+=("$value") + ;; + esac + done < <(git show -s --format=%B "$commit" | git interpret-trailers --parse) + + for identity in "${required[@]}"; do + matched=0 + for signoff in "${signoffs[@]}"; do + if [[ "${signoff,,}" == "${identity,,}" ]]; then + matched=1 + break + fi + done + + if [[ $matched -ne 1 ]]; then + echo "DCO failure: ${commit} needs 'Signed-off-by: ${identity}'" >&2 + failed=1 + fi + done +done < <(git rev-list --reverse "$range") + +if [[ $checked -eq 0 ]]; then + echo "DCO failure: no commits found in ${range}" >&2 + exit 1 +fi + +if [[ $failed -ne 0 ]]; then + exit 1 +fi + +echo "DCO check passed for ${checked} commit(s)." diff --git a/scripts/check-licenses.sh b/scripts/check-licenses.sh new file mode 100644 index 0000000..1f7e262 --- /dev/null +++ b/scripts/check-licenses.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +set -euo pipefail + +readonly scanner='github.com/google/go-licenses/v2@v2.0.1' +readonly allowed='AGPL-3.0,Apache-2.0,BSD-2-Clause,BSD-3-Clause,MIT' + +go run "$scanner" check ./... \ + --allowed_licenses="$allowed" + +echo "Dependency-license check passed with no exceptions."