Skip to content

Commit 8468e03

Browse files
committed
docs(security): clarify peer identity boundaries
1 parent 4f3f1db commit 8468e03

4 files changed

Lines changed: 20 additions & 2 deletions

File tree

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ All notable changes to StreamHive are documented here. This project follows [Sem
88

99
- **`p2p`**: `PeerSnapshots` exposes connected peer metadata for operational tooling.
1010
- **Docs**: protocol reference for SHV1 frames, replication messages, limits, and repair behavior.
11+
- **Docs**: TLS/mTLS peer identity guidance and remaining application-level auth gaps.
1112

1213
### Changed
1314

SECURITY.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,23 @@ If you believe you have found a security vulnerability, please open a **private*
88

99
This project is experimental research code. It is not hardened for hostile networks; treat deployments accordingly.
1010

11+
## Transport Security And Identity
12+
13+
StreamHive can wrap peer connections in TLS:
14+
15+
- `-tls-cert` and `-tls-key` enable TLS on the listener.
16+
- `-tls-ca` and `-tls-server-name` enable outbound certificate verification.
17+
- `-tls-insecure-skip-verify` is for local development only.
18+
19+
Library users can configure `p2p.TCPTransport.TLSServerConfig` and
20+
`p2p.TCPTransport.TLSClientConfig` directly. Use `tls.Config.ClientAuth`,
21+
`ClientCAs`, and client certificates when you need mTLS.
22+
23+
TLS protects the TCP channel and, when configured with CA verification, authenticates the
24+
certificate presented by the peer. StreamHive does not yet have application-level peer
25+
identity, authorization, ACLs, or signed replication messages. Do not expose the P2P
26+
port to untrusted networks without a deployment-level trust boundary.
27+
1128
## Dependency scanning
1229

1330
CI runs `govulncheck ./...` on each push and pull request to `main`.

docs/ARCHITECTURE.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -112,7 +112,7 @@ stateDiagram-v2
112112

113113
- **Dial** respects context cancellation and optional `DialTimeout`.
114114
- **Max peers** rejects new inbound connections when the cap is reached (`PeersRejected` metric).
115-
- **TLS** failures surface from `HandshakeContext` on outbound dials. **mTLS** is supported by configuring `tls.Config` yourself (`ClientAuth`, `ClientCAs` on `TLSServerConfig`; client certs on `TLSClientConfig`). There is no application-level identity beyond TLS yet.
115+
- **TLS** failures surface from `HandshakeContext` on outbound dials. **mTLS** is supported by configuring `tls.Config` yourself (`ClientAuth`, `ClientCAs` on `TLSServerConfig`; client certs on `TLSClientConfig`). TLS can authenticate certificates, but StreamHive still has no application-level peer identity, authorization, ACLs, or signed replication messages.
116116
- **Replication decode/apply** rejects unknown message types, empty keys, oversized keys, and oversized payloads before writing to storage.
117117

118118
## Replication v0.3 scope

docs/DEPLOYMENT.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ docker run --rm -p 7070:7070 -p 8080:8080 streamhive:local \
1414
- **7070** — P2P TCP listener (example).
1515
- **8080** — HTTP `/livez`, `/readyz`, `/peers` (JSON peer metadata), `/metrics` (JSON counters), `/metrics/prometheus` (Prometheus text).
1616

17-
Use TLS flags (`-tls-cert`, `-tls-key`, `-tls-ca`, ) when exposing services beyond a lab network.
17+
Use TLS flags (`-tls-cert`, `-tls-key`, `-tls-ca`, `-tls-server-name`) when exposing services beyond a lab network. Reserve `-tls-insecure-skip-verify` for local development. For mTLS or custom trust policy, configure `p2p.TCPTransport.TLSServerConfig` and `TLSClientConfig` in library code. StreamHive does not yet provide application-level peer identity or authorization; keep the P2P port behind a trusted network boundary.
1818

1919
## Docker Compose demo
2020

0 commit comments

Comments
 (0)