Canonical-channel public key. zddc.varasys.io/releases/<artifact>.sig
files are signed with the matching private key (kept locally on the
maintainer's machine, never in CI).
Operators self-hosting zddc-server who use the canonical channels
(`apps: archive: stable` etc.) download this file and pass the local
path via ZDDC_APPS_PUBKEY. Operators with their own signing
infrastructure publish their own pubkey and configure that path
instead.
The releases-page index includes a "Verify your downloads" section
with the SHA-256 fingerprint and a curl + openssl pkeyutl -verify
example for manual verification. zddc-server's apps fetcher does the
same verification automatically when ZDDC_APPS_PUBKEY is configured.
Fingerprint (SHA-256 of DER-encoded SubjectPublicKeyInfo):
7766dc8cf963f32156ddcc96825c52ba0333ffe4c243ad54f9eaf26195b065ab
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
A non-technical entry point for federal evaluators answering "can this
go in our environment, and what would need to be added during ATO?" —
the question that today only has an answer buried in the engineering
README.
Six sections, written for the procurement / decision-maker audience
with engineers as the secondary reader:
1. Hero: ZDDC is designed to be deployed in regulated environments.
2. What's already in place — hardened TLS posture, pluggable OPA
policy engine, federal-mode strict-least-privilege Rego, audit
logging, vulnerability-disclosure policy, documented access-
control model with a 5-minute verify-it recipe.
3. Supported deployment shape — diagram showing zddc-server on
loopback behind a TLS-terminating proxy on a RHEL/UBI base.
4. What you'd add for full ATO — table of five integration items
(FIPS-validated crypto, authenticated proxy↔server channel, RBAC,
policy export, code-signed tool fetches) with plain-language
summaries.
5. The two-track build plan — explains why the standard binary
stays pure-Go and a parallel zddc-server-fips build is the right
answer for federal customers.
6. Engineering reference — links into the in-repo gap analysis,
ARCHITECTURE.md security section, and access-control reference
for implementors.
Linked from index.html in two places: a new feature bullet on the
zddc-server (optional) section pointing at the page, and a "For
federal evaluators" entry in the Learn-more list at the bottom.
No engineering content here — federal.html is the procurement entry
point. The deeper detail (NIST control numbers, library choices,
effort estimates) lives in zddc/README.md § Federal-readiness gap
analysis where engineers will look for it.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- New zddc-server feature bullet for OPA-compatible policy decider:
ZDDC_OPA_URL flips to external Rego with the same .zddc files as input
- Access-control bullet now links to the cascade reference (worked
examples for paired open/closed + third-party-vendor layouts)
- Access-logging bullet covers stdout-as-canonical and the file-tee
fallback so orchestrator-pipeline deployments aren't surprised
- New Learn-more link to the access-control reference (cascade rules,
anti-patterns, five-minute verify recipe, federal-readiness gap
analysis with NIST control refs)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Switching to identity-level avatars (VARASYS org + personal) instead
of per-repo, so the per-repo file isn't needed. Also drops the
matching rsync exclude.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
avatar.png is the Forgejo repo avatar (290x290), not site content.
Adding it to the deploy rsync excludes so it doesn't surface at
https://zddc.varasys.io/avatar.png.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- index.html: stable channel chip referenced --color-primary, which
is undefined; falling back to the browser-default visited-link color
rendered it purple. Switch to the actually-defined --color-accent.
- css/style.css: lift dark-mode pill backgrounds (--color-accent-soft,
--color-Tracking, --color-Title) so pills have a visible edge against
the near-black page bg (~1.5:1 → ~2.2:1 adjacency contrast). Accent
text on the lighter pills stays at 3.6:1, fine for short labels.
- css/style.css: brand-logo's navy <rect> blends into the page bg in
dark mode; override its fill to a lighter steel-blue so the rounded
square stays visible.
Light mode is untouched.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Captures the rsync-on-push contract (excludes, delete-after) and the
two non-obvious editing constraints (layout.js selector list, inline
<style> convention). CLAUDE.md is now a one-line pointer to README so
/init has something to find.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Runner now runs in a quadlet container on caddy-net, so 127.0.0.1
is the runner's own loopback. Reach the Caddy container by name
('caddy') with --connect-to keeping SNI/Host as the public hostname
so the right vhost matches.
First Forgejo Actions workflow. Runs on the local runner (host
mode), rsyncs the checked-out tree to /srv/zddc/ on the deploy
host, excluding /releases/ which the ZDDC source repo owns.
Seeded from the website branch's working tree as of zddc@76e1e78.
Release artifacts (HTML tool builds + zddc-server binaries) live on
the deploy host under /srv/zddc/releases/; they are reproducible
from <tool>-vX.Y.Z tags on https://codeberg.org/VARASYS/ZDDC.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
