viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
3899 commits 2 branches 0 tags 2.3 GiB
Commit graph

2 commits

Author SHA1 Message Date
Viktor Barzin
9f551e3c13 t3code: harden dispatch — dedicated user + validated t3-mint + scoped sudoers 
Run t3-dispatch as an unprivileged dedicated user instead of wizard (who has
full sudo). Privileged minting goes through /usr/local/bin/t3-mint, which
validates the target against /etc/ttyd-user-map before minting as that user;
sudoers permits t3-dispatch to run only that wrapper. Compromise of the
network-facing service can mint pairing tokens for mapped users at most.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-02 19:24:30 +00:00
Viktor Barzin
0472f67d49 t3code: devvm dispatch + auto-pair service (Go) 
Routes X-authentik-username -> per-user t3 instance; on no t3_session
cookie, mints a pairing token (as the OS user) and exchanges it at
/api/auth/bootstrap, injecting the session cookie. Listens :3780, reads
/etc/t3-serve/dispatch.json. Constants from the Task-1 auth-contract spike.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-02 19:24:30 +00:00