Appearance
Security & Privacy Doctrine
Reconstructed 2026-06-11 — this file was empty (1 byte) while CLAUDE.md cited it as load-bearing doctrine. Discovered while answering the studio-hosting question (task 700140). Rules below restate standing law from CLAUDE.md, container-storage-strategy, credential-model, and Michael rulings; nothing here is new except §Public surfaces, which is marked proposed.
Exposure model
| Channel | Status |
|---|---|
| Inbound public ports (WAN) | Forbidden — nothing on Z2, Mac, or any CT listens to the internet; no router port-forwarding |
| Tailscale mesh | Default access plane for every service: SSH, NFS/SMB, Postgres, collectors, dashboards |
| LAN (192.168.1.x) | Trusted for infra already on it (Vaultwarden, CT103); no new LAN-bound services without ruling |
| Outbound-only tunnels (Cloudflare) | See §Public surfaces — proposed carve-out, awaiting ruling |
Core rules
- SSH: key-only. No password auth, no root login, reachable over Tailscale only.
- No public inbound ports on any host. "Tailscale-only" governs inbound listening — it is the mechanism that keeps the home IP unpublished and the attack surface at zero.
- NFS/SMB: bind to the Tailscale interface only.
- Credentials: Itachi is the source of truth; Vaultwarden (CT103, 192.168.1.250) is the store. Values are never printed, never committed, never rotated without Michael's authorisation. Hardcoded credentials in source files are never modified without explicit instruction (INC-001).
- Secrets in git: forbidden. Env files live outside tracked trees; exposure events row in the incident log at discovery (INC-002).
- Permission hygiene: wipe-class shell patterns sit in
permissions.deny; barermis ask-gated (INC-003). - Incidents: every security event gets a row in security-incident-log at discovery. Closure requires named remediation.
Public surfaces (proposed 2026-06-11 — awaiting Michael ruling)
The inbound-port ban does not by itself forbid hosting a public surface from Z2: an outbound-only tunnel (cloudflared) publishes a service through the Cloudflare edge while opening zero inbound ports and never exposing the home IP. Proposed carve-out:
- Exposure is via outbound-only tunnel — no inbound port, no port-forwarding, home IP unpublished
- The surface is explicitly designated (currently only candidate: hinata-studio, recruiter-facing)
- An auth gate sits at the edge (studio password middleware)
Until ruled, the studio's existing Cloudflare Pages arrangement continues unchanged — Pages is edge-hosted and touches no Hinata host inbound.
Cross-links: container-storage-strategy · credential-model · infrastructure-access · hinata-architecture · security-incident-log