index.html: extend the access-control bullet to mention the
inherit:false directive as the "complete reset" knob for vendor and
regulated subtrees.
federal.html: note in the strict-Rego bullet that inherit:false is
intentionally refused under strict cascade mode (NIST AC-6 invariant)
so federal-track operators understand the directive is a commercial-
mode tool, not part of the federal posture.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Re-sort the zddc-server feature list so the most-immediately-useful
behaviours (lazy folder creation, virtual .archive URLs, basic ACL,
roles, WORM, cascade tracer) come first, then the operational table
stakes (per-request logging, TLS hygiene), and the federal/regulated
bullets (OPA decider, designed-for-regulated-environments) last. Within
each tier the simpler item leads.
Strip the explicit ZDDC_ROOT=/srv/zddc from the run example. The binary
defaults to the current working directory, so for a quick start
"./zddc-server" is all that's needed. Add a follow-on note that the
listener defaults to https://localhost:8443/ with a self-signed cert
and that --root / --addr / --tls-* override the defaults.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
reference.html § 9: rewrite the canonical-folder tree so each line leads
with what the folder is FOR (drafting space, "about to issue" lane,
permanent record per counterparty, planned deliverables list, review
queue) rather than mechanics. The lifecycle stage of a document is now
visible from its location alone. Mechanics (lazy creation, case-fold
matching, virtual user home, paired delete on issue) demoted to a
single trailing paragraph so a reader can grasp the layout without
needing to track them.
federal.html: surface the access-control features that landed since the
page was written —
- Role-based access control as a first-class shipped feature, with the
AC-2 / AC-3(7) mapping called out.
- Verb-based least privilege (r/w/c/d/a) under AC-6, with the rc
shape used by immutable archives flagged explicitly.
- WORM enforcement on archive/<party>/{received,issued}/ under AU-9
and MP-5, including the at-the-WORM-folder grant pattern that lets
doc controllers drop transmittals without giving them overwrite.
- Cascade tracer (/.profile/effective-policy) under AC-3 reviewability.
- OPA wire-format detail (input shape + cache TTL + fail-open).
Move "Role-based access control" out of the "what you'd add for ATO"
table now that it's shipped; replace with "Identity-provider role
sync" — the integrator's job is wiring AD/Okta/EntraID groups into
the existing role members: list, not building RBAC from scratch.
Update "Policy export" to acknowledge the per-path tracer that already
ships and frames the missing piece as the batch-export companion.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Update reference.html § 9 (transmittal workflow): replace the legacy
per-party tree (project/{party-name}/{incoming,received,issued}) with
the current canonical layout — project root has working/, staging/,
reviewing/, archive/, and per-party folders sit under
archive/<party>/{mdl,incoming,received,issued}/. Note lazy creation,
case-fold matching, the per-user virtual <viewer-email>/ entry, mdl
opening the table editor, and the staging↔working drafting mirror.
Add a "Drafting a response transmittal" subsection describing how
inbound submittals (-SUB- @ IFR/IFA) flow through staging→working
into archive/<party>/issued/ as RS* responses.
Update index.html "Access control via .zddc files" bullet to describe
what the server actually does today: cascade direction, the five
verbs (r/w/c/d/a), explicit deny via empty grant, and the
X-Auth-Request-Email convention. Add new bullets for roles (with a
short YAML example), WORM archive folders + drop-in producer pattern,
lazy folder creation + case-fold matching, the cascade tracer
admin endpoint, and an expanded OPA paragraph (input shape, cache
TTL, fail-open flag, --print-rego=federal). Update the install card's
tool-folder list to use lowercase canonical names, mention browse,
and add mdl.table.html as the per-party MDL view.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Canonical-channel public key. zddc.varasys.io/releases/<artifact>.sig
files are signed with the matching private key (kept locally on the
maintainer's machine, never in CI).
Operators self-hosting zddc-server who use the canonical channels
(`apps: archive: stable` etc.) download this file and pass the local
path via ZDDC_APPS_PUBKEY. Operators with their own signing
infrastructure publish their own pubkey and configure that path
instead.
The releases-page index includes a "Verify your downloads" section
with the SHA-256 fingerprint and a curl + openssl pkeyutl -verify
example for manual verification. zddc-server's apps fetcher does the
same verification automatically when ZDDC_APPS_PUBKEY is configured.
Fingerprint (SHA-256 of DER-encoded SubjectPublicKeyInfo):
7766dc8cf963f32156ddcc96825c52ba0333ffe4c243ad54f9eaf26195b065ab
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
A non-technical entry point for federal evaluators answering "can this
go in our environment, and what would need to be added during ATO?" —
the question that today only has an answer buried in the engineering
README.
Six sections, written for the procurement / decision-maker audience
with engineers as the secondary reader:
1. Hero: ZDDC is designed to be deployed in regulated environments.
2. What's already in place — hardened TLS posture, pluggable OPA
policy engine, federal-mode strict-least-privilege Rego, audit
logging, vulnerability-disclosure policy, documented access-
control model with a 5-minute verify-it recipe.
3. Supported deployment shape — diagram showing zddc-server on
loopback behind a TLS-terminating proxy on a RHEL/UBI base.
4. What you'd add for full ATO — table of five integration items
(FIPS-validated crypto, authenticated proxy↔server channel, RBAC,
policy export, code-signed tool fetches) with plain-language
summaries.
5. The two-track build plan — explains why the standard binary
stays pure-Go and a parallel zddc-server-fips build is the right
answer for federal customers.
6. Engineering reference — links into the in-repo gap analysis,
ARCHITECTURE.md security section, and access-control reference
for implementors.
Linked from index.html in two places: a new feature bullet on the
zddc-server (optional) section pointing at the page, and a "For
federal evaluators" entry in the Learn-more list at the bottom.
No engineering content here — federal.html is the procurement entry
point. The deeper detail (NIST control numbers, library choices,
effort estimates) lives in zddc/README.md § Federal-readiness gap
analysis where engineers will look for it.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- New zddc-server feature bullet for OPA-compatible policy decider:
ZDDC_OPA_URL flips to external Rego with the same .zddc files as input
- Access-control bullet now links to the cascade reference (worked
examples for paired open/closed + third-party-vendor layouts)
- Access-logging bullet covers stdout-as-canonical and the file-tee
fallback so orchestrator-pipeline deployments aren't surprised
- New Learn-more link to the access-control reference (cascade rules,
anti-patterns, five-minute verify recipe, federal-readiness gap
analysis with NIST control refs)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Switching to identity-level avatars (VARASYS org + personal) instead
of per-repo, so the per-repo file isn't needed. Also drops the
matching rsync exclude.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
avatar.png is the Forgejo repo avatar (290x290), not site content.
Adding it to the deploy rsync excludes so it doesn't surface at
https://zddc.varasys.io/avatar.png.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- index.html: stable channel chip referenced --color-primary, which
is undefined; falling back to the browser-default visited-link color
rendered it purple. Switch to the actually-defined --color-accent.
- css/style.css: lift dark-mode pill backgrounds (--color-accent-soft,
--color-Tracking, --color-Title) so pills have a visible edge against
the near-black page bg (~1.5:1 → ~2.2:1 adjacency contrast). Accent
text on the lighter pills stays at 3.6:1, fine for short labels.
- css/style.css: brand-logo's navy <rect> blends into the page bg in
dark mode; override its fill to a lighter steel-blue so the rounded
square stays visible.
Light mode is untouched.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Captures the rsync-on-push contract (excludes, delete-after) and the
two non-obvious editing constraints (layout.js selector list, inline
<style> convention). CLAUDE.md is now a one-line pointer to README so
/init has something to find.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Runner now runs in a quadlet container on caddy-net, so 127.0.0.1
is the runner's own loopback. Reach the Caddy container by name
('caddy') with --connect-to keeping SNI/Host as the public hostname
so the right vhost matches.
First Forgejo Actions workflow. Runs on the local runner (host
mode), rsyncs the checked-out tree to /srv/zddc/ on the deploy
host, excluding /releases/ which the ZDDC source repo owns.
Seeded from the website branch's working tree as of zddc@76e1e78.
Release artifacts (HTML tool builds + zddc-server binaries) live on
the deploy host under /srv/zddc/releases/; they are reproducible
from <tool>-vX.Y.Z tags on https://codeberg.org/VARASYS/ZDDC.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
