Void-Homelab

Hynes/Void-Homelab

Fork 0

Commit Graph

Author	SHA1	Message	Date
root	925cb0d7d6	chore: 2.0.0-alpha.9 — security & correctness hardening (Void 3.0 quick wins) - Q3: prod void DB role NOSUPERUSER (vector marked trusted; deploy/README documents it) - Q4: buildChildEnv allow-list for the claude subprocess (no OWNER_TOKEN/DATABASE_URL/secrets leak) - Q5: pending-change approve claims-before-applying + reopens on failure (no re-approvable dup) - Q6: /capture/upload validates space_id (UUID+existence); pg pool statement_timeout 30s - Q9: disabled failing syncoid-donatello timer on Z Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-03 07:54:57 +10:00
root	b10b68582d	feat(api): capture routes YouTube/Vimeo URLs to ingest.video POST /api/capture with a youtube.com / youtu.be / vimeo.com URL enqueues ingest.video (Python worker) instead of ingest.url (Node worker). Detection by URL hostname; idempotency_key + response shape unchanged. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-01 10:08:16 +10:00
root	afc20712cb	feat(api): capture POST + upload + SSRF-safe URL fetch safe_fetch.js validates URLs before fetch: rejects non-http(s), literal or DNS-resolved loopback / RFC1918 / link-local / CGNAT / metadata addresses; follows redirects manually with the same checks on each hop. Test fixtures gate the check with VOID_INGEST_ALLOW_PRIVATE for offline fixtures that hit 127.0.0.1. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-01 03:42:54 +10:00

Author

SHA1

Message

Date

root

925cb0d7d6

chore: 2.0.0-alpha.9 — security & correctness hardening (Void 3.0 quick wins)

- Q3: prod void DB role NOSUPERUSER (vector marked trusted; deploy/README documents it)
- Q4: buildChildEnv allow-list for the claude subprocess (no OWNER_TOKEN/DATABASE_URL/secrets leak)
- Q5: pending-change approve claims-before-applying + reopens on failure (no re-approvable dup)
- Q6: /capture/upload validates space_id (UUID+existence); pg pool statement_timeout 30s
- Q9: disabled failing syncoid-donatello timer on Z

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-03 07:54:57 +10:00

root

b10b68582d

feat(api): capture routes YouTube/Vimeo URLs to ingest.video

POST /api/capture with a youtube.com / youtu.be / vimeo.com URL
enqueues ingest.video (Python worker) instead of ingest.url
(Node worker). Detection by URL hostname; idempotency_key + response
shape unchanged.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-06-01 10:08:16 +10:00

root

afc20712cb

feat(api): capture POST + upload + SSRF-safe URL fetch

safe_fetch.js validates URLs before fetch: rejects non-http(s), literal
or DNS-resolved loopback / RFC1918 / link-local / CGNAT / metadata
addresses; follows redirects manually with the same checks on each hop.
Test fixtures gate the check with VOID_INGEST_ALLOW_PRIVATE for offline
fixtures that hit 127.0.0.1.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-06-01 03:42:54 +10:00

3 Commits