VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
100 commits 1 branch 7 tags 193 MiB
JavaScript 42.5%
Go 29.2%
HTML 19%
CSS 4.5%
Shell 4.3%
Other 0.4%
Find a file
ZDDC 5c33c8a821 docs: ACL/security overhaul (cascade rules, OPA, caching) 
Three docs aligned with the preceding three feature commits.

zddc/README.md
--------------
Major overhaul of the access-control narrative. The previous "three-
tier" example table was misleading: it claimed a project-level
allow-list "restricts" access under a parent wildcard, when actually
the cascade is additive (a non-team employee falls up to root and
matches *@company.com). Operators reading the old docs would build
deployments that looked locked-down but leaked across the company.

New sections under "Access control: the .zddc cascade":
  * Step 1: starter .zddc — leads with the public-by-default warning
    and the --insecure escape hatch
  * How a request is evaluated — bottom-up walk with code citations
  * Glob patterns — @-boundary rule
  * When the cascade helps and when it fights you — the asymmetry
    between adding strangers (easy) and excluding insiders (hard)
  * Pick your layout — decision matrix for common shapes
  * Worked example: paired open/closed projects + third-party archive
    — full layout with trace table for two representative users
  * Patterns that look secure but aren't — anti-patterns including
    same-level allow+deny shadow, leaf-allow-doesn't-restrict,
    apps:-as-UI-mount
  * Trust model and invariants — auth boundary, subtree authority,
    root-only escalation gate
  * Trust boundary — network isolation requirement, anonymous
    information disclosure on /, audit-log integrity
  * Debugging permissions — manual cascade trace
  * Directory visibility / Reserved hidden segments
  * How to verify in 5 minutes — recipe with negative anti-pattern test
  * Federal-readiness gap analysis — bulleted with NIST control refs
  * External policy decider — OPA wire format, deployment shapes,
    failure modes
  * OPA decision cache — TTL semantics, knobs
  * Reference Rego policy — --print-rego, parity test rationale
  * Caching and ETags — content-hash story, why not server-side
  * Future work

Plus env-var table updates for ZDDC_INSECURE, ZDDC_OPA_URL,
ZDDC_OPA_FAIL_OPEN, ZDDC_OPA_CACHE_TTL; CORS narrative reflects
default-empty.

ARCHITECTURE.md
---------------
New "Server security model" section between Form Renderer and CSS:
cooperating layers (auth / policy decider / cascade / tool-rooted
view / reserved prefixes / audit log), commercial-vs-federal trust
model side-by-side, why the tool-rooted view matters for third-party
containment.

AGENTS.md
---------
Two new env-var rows (ZDDC_OPA_URL, ZDDC_OPA_CACHE_TTL); ACL line
sharpened with cascade rules + cross-reference; ZDDC_CORS_ORIGIN
description updated for default-empty.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 17:46:57 -05:00
.forgejo fix(ci): chart-bump script writes full 40-char SHA to appVersion 2026-05-04 08:01:34 -05:00
archive perf(tools): vendor jszip + docx-preview for archive/transmittal/classifier 2026-05-04 07:49:17 -05:00
browse chore(headers): standardize across all 7 tools 2026-05-04 07:49:17 -05:00
classifier perf(tools): vendor jszip + docx-preview for archive/transmittal/classifier 2026-05-04 07:49:17 -05:00
form chore(headers): standardize across all 7 tools 2026-05-04 07:49:17 -05:00
helm feat(server): refuse to start without root .zddc; default CORS to empty 2026-05-04 17:40:34 -05:00
landing chore(headers): standardize across all 7 tools 2026-05-04 07:49:17 -05:00
mdedit chore: untrack mdedit/dist/mdedit.html — every other dist/ is gitignored 2026-05-04 07:49:17 -05:00
pandoc Initial commit 2026-04-27 11:05:47 -05:00
shared perf(tools): vendor jszip + docx-preview for archive/transmittal/classifier 2026-05-04 07:49:17 -05:00
tests feat: form-data system v0 (sixth tool + zddc-server endpoints) 2026-05-02 20:12:16 -05:00
transmittal perf(tools): vendor jszip + docx-preview for archive/transmittal/classifier 2026-05-04 07:49:17 -05:00
zddc docs: ACL/security overhaul (cascade rules, OPA, caching) 2026-05-04 17:46:57 -05:00
.gitignore refactor: separate website repo + deploy-host model 2026-05-02 09:14:40 -05:00
AGENTS.md docs: ACL/security overhaul (cascade rules, OPA, caching) 2026-05-04 17:46:57 -05:00
ARCHITECTURE.md docs: ACL/security overhaul (cascade rules, OPA, caching) 2026-05-04 17:46:57 -05:00
build chore: untrack mdedit/dist/mdedit.html — every other dist/ is gitignored 2026-05-04 07:49:17 -05:00
CLAUDE.md fix(build): commit embedded artifacts before tagging; alpha never bakes in 2026-05-03 16:44:39 -05:00
deploy refactor: separate website repo + deploy-host model 2026-05-02 09:14:40 -05:00
dev-server Initial commit 2026-04-27 11:05:47 -05:00
freshen-channel refactor: separate website repo + deploy-host model 2026-05-02 09:14:40 -05:00
LICENSE.txt Initial commit 2026-04-27 11:05:47 -05:00
package.json Initial commit 2026-04-27 11:05:47 -05:00
playwright.config.js feat: form-data system v0 (sixth tool + zddc-server endpoints) 2026-05-02 20:12:16 -05:00
README.md refactor: separate website repo + deploy-host model 2026-05-02 09:14:40 -05:00

README.md

Zero Day Document Control (ZDDC)

The Universal Distributed Filing Cabinet

ZDDC is an information management convention plus a small set of single-file HTML tools. Every deliverable's filename encodes its tracking number, revision, status, and title; every transmittal folder is date-prefixed and self-describing. A plain shared folder becomes a fully searchable, auditable archive — no server, no database, no software required to read it.

The name "Zero Day Document Control" comes from the convention itself — adopt it on day zero of a project, with no setup time. The tools are optional interfaces around the structure; the structure works without them.

For end users: https://zddc.varasys.io/ introduces the project, links to all tool channels (stable / beta / alpha), and prints copy-paste shell snippets to install on a self-hosted deployment.

Tools

Tool What it does
Archive Browser Browse, search, and filter a project archive folder. Group by transmittal, export selections as ZIP.
Transmittal Creator Self-contained HTML transmittal records with SHA-256 checksums and optional digital signatures.
Document Classifier Spreadsheet-like bulk-renamer that copy/pastes with Excel and writes back to disk.
Markdown Editor Browser-based markdown editor with YAML front matter, TOC, and direct local file access.

Each tool is published in three channels (stable, beta, alpha) as static files served from https://zddc.varasys.io/releases/. Local use: download a .html file from releases/ and open it in a browser. Server use: run zddc-server — the current-stable build of every tool is baked into the binary at compile time, so a fresh deployment Just Works with zero config. Tools auto-appear at folder-name-driven paths (archive everywhere; classifier in Incoming/Working/Staging; mdedit in Working; transmittal in Staging). Override per-directory by writing an apps: entry in any .zddc file (channel/version/URL/path). URL overrides are fetched once and cached in <ZDDC_ROOT>/_app/; drop a real .html file at any path to override entirely.

File-naming convention

The full specification — filename format, tracking numbers, revision rules, status codes, folder naming, and the transmittal workflow — lives at https://zddc.varasys.io/reference.html.

Quick example: 123456-EL-SPC-2623_A (IFR) - Specification For Switchgear.pdf

Build & develop

git clone https://codeberg.org/VARASYS/ZDDC.git && cd ZDDC

sh build.sh                              # build all tools (writes to dist/ only)
sh archive/build.sh                      # build one tool

sh archive/build.sh --release            # cut stable; auto-bumps patch from last tag
sh archive/build.sh --release 0.1.0      # explicit version
sh archive/build.sh --release alpha      # cut alpha (mutable channel, no tag)
sh archive/build.sh --release beta       # cut beta

npm install && npx playwright install chromium && npm test    # tests
./dev-server start                       # cache-busting HTTP on :8000

Authoritative build/release docs are in AGENTS.md. Architecture notes (single-file rationale, JS module pattern, security model) are in ARCHITECTURE.md. zddc-server (optional Go HTTP server with ACL and a virtual archive index) is in zddc/README.md. Example Helm charts for deploying zddc-server (production + dev) are under helm/.

Contributing

ZDDC is an open source project hosted on Codeberg at https://codeberg.org/VARASYS/ZDDC. Bug reports, feature requests, and pull requests welcome.

ZDDC is designed for zero configuration to start and minimal configuration overall — feature proposals are filtered through that lens.

License

GNU Affero General Public License v3.0. Free to use, modify, and distribute, including commercially, under the terms of the license. Provided "as is" without warranty.