jarvis / docs /operations /security-maintenance.md
Jonathan Haas
Add operator console, observability, skills, and resilience/security hardening
643cae6
|
Raw
History Blame Contribute Delete
3.5 kB

Security Maintenance

This runbook defines dependency/version policy and monthly maintenance tasks for CI/action supply-chain hygiene.

1) Third-Party Workflow Provenance

Component Source Pin/verification strategy
actions/checkout GitHub (actions/checkout) Full commit SHA pin in workflows
actions/setup-python GitHub (actions/setup-python) Full commit SHA pin in workflows
actions/upload-artifact GitHub (actions/upload-artifact) Full commit SHA pin in workflows
astral-sh/setup-uv Astral (astral-sh/setup-uv) Full commit SHA pin in workflows
github/codeql-action/* GitHub (github/codeql-action) Full commit SHA pin in workflows
actionlint binary GitHub release (rhysd/actionlint) Version pin + SHA256 checksum verification in workflow
gitleaks binary GitHub release (gitleaks/gitleaks) Version pin + SHA256 checksum verification in workflow
shellcheck Ubuntu apt repository Installed from ubuntu-latest apt; review version during monthly maintenance

2) Minimum Version Policy (Critical Dependencies)

Keep explicit lower bounds in pyproject.toml for core runtime/security-critical dependencies. Raise floors when upstream advisories require it.

Dependency Minimum floor policy Rationale
aiohttp >=3.10.0 Network boundary + HTTP client security fixes
python-dotenv >=1.0.0 Stable env loading semantics
torch >=2.0.0 Model runtime compatibility/security updates
ultralytics >=8.3.0 Vision pipeline compatibility + fixes
faster-whisper >=1.1.0 STT runtime compatibility
claude-agent-sdk >=0.1.0 Agent/runtime protocol compatibility

When adding new critical dependencies:

  1. Add an explicit lower bound.
  2. Document rationale in this table.
  3. Add/update tests for config/runtime fallback behavior when feasible.

3) Monthly Maintenance Checklist

Run this once per month:

  1. Update action pins:
    • Re-resolve latest trusted SHAs for pinned actions.
    • Update pins in .github/workflows/*.yml.
  2. Refresh workflow binary pins:
    • actionlint version + checksum.
    • gitleaks version + checksum.
  3. Review dependency updates:
    • Triage open Dependabot PRs.
    • Prioritize security updates and networking/auth libraries.
  4. Run security workflows manually:
    • security.yml (CodeQL + pip-audit)
    • secrets-scan.yml (gitleaks)
    • deploy-security-gate.yml (release/deploy hardening checks)
  5. Validate baseline exceptions:
    • Review .gitleaksignore entries.
    • Remove stale/obsolete fingerprints.
  6. Confirm docs are current:
    • This runbook
    • docs/operations/release-checklist.md

4) Runtime Credential and Retention Guards

  • Startup now emits warnings for potentially unsafe credential posture:
    • unusually short API tokens (HASS_TOKEN, TODOIST_API_TOKEN, PUSHOVER_API_TOKEN)
    • insecure webhook URLs for Slack/Discord (http:// instead of https://)
    • WEBHOOK_AUTH_TOKEN configured without a WEBHOOK_ALLOWLIST
  • Retention windows are configurable:
    • MEMORY_RETENTION_DAYS
    • AUDIT_RETENTION_DAYS
  • Memory-write PII guardrails:
    • MEMORY_PII_GUARDRAILS_ENABLED=true|false
    • default behavior blocks memory writes that look like SSNs, card-like numbers, phone numbers, or email addresses unless explicitly overridden.
  • A value of 0 disables pruning; positive values apply automatic startup pruning.