mirrors/archon
1
0
Fork 0
mirror of https://github.com/coleam00/Archon.git synced 2025-12-24 02:39:17 -05:00
Code Issues Packages Projects Releases Wiki Activity

Security: Remove Docker socket mounting to eliminate CVE-2025-9074 risk

Browse Source 
- Replace Docker socket-based MCP status monitoring with HTTP health checks
- Remove Docker socket volume mount from docker-compose.yml (CVE-2025-9074 - CVSS 9.3)
- Add MCPMonitoringConfig for secure-by-default HTTP mode
- Make docker dependency optional in pyproject.toml
- Add ENABLE_DOCKER_SOCKET_MONITORING env var for backward compatibility
- Implement get_container_status_http() using httpx for health checks
- Add comprehensive test suite (13 tests, 100% passing)
- Update .env.example with security documentation

Security Benefits:
- Eliminates root-equivalent host access vulnerability
- Prevents container escape attacks
- Portable across Docker, Kubernetes, and bare metal
- Defaults to secure mode, legacy Docker mode optional

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
leex279
2025-11-02 23:22:34 +01:00
parent 844cdb3551
commit 23302577a3
7 changed files with 548 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
python/uv.lock generated
View File

@@ -188,7 +188,6 @@ all = [
{ name = "asyncpg" },
{ name = "crawl4ai" },
{ name = "cryptography" },
{ name = "docker" },
{ name = "factory-boy" },
{ name = "fastapi" },
{ name = "httpx" },
@@ -213,6 +212,7 @@ all = [
{ name = "sse-starlette" },
{ name = "structlog" },
{ name = "supabase" },
{ name = "tldextract" },
{ name = "uvicorn" },
{ name = "watchfiles" },
]
@@ -240,7 +240,6 @@ server = [
{ name = "asyncpg" },
{ name = "crawl4ai" },
{ name = "cryptography" },
{ name = "docker" },
{ name = "fastapi" },
{ name = "httpx" },
{ name = "logfire" },
@@ -295,7 +294,6 @@ all = [
{ name = "asyncpg", specifier = ">=0.29.0" },
{ name = "crawl4ai", specifier = "==0.7.4" },
{ name = "cryptography", specifier = ">=41.0.0" },
{ name = "docker", specifier = ">=6.1.0" },
{ name = "factory-boy", specifier = ">=3.3.0" },
{ name = "fastapi", specifier = ">=0.104.0" },
{ name = "httpx", specifier = ">=0.24.0" },
@@ -320,6 +318,7 @@ all = [
{ name = "sse-starlette", specifier = ">=2.3.3" },
{ name = "structlog", specifier = ">=23.1.0" },
{ name = "supabase", specifier = "==2.15.1" },
{ name = "tldextract", specifier = ">=5.0.0" },
{ name = "uvicorn", specifier = ">=0.24.0" },
{ name = "watchfiles", specifier = ">=0.18" },
]
@@ -347,7 +346,6 @@ server = [
{ name = "asyncpg", specifier = ">=0.29.0" },
{ name = "crawl4ai", specifier = "==0.7.4" },
{ name = "cryptography", specifier = ">=41.0.0" },
{ name = "docker", specifier = ">=6.1.0" },
{ name = "fastapi", specifier = ">=0.104.0" },
{ name = "httpx", specifier = ">=0.24.0" },
{ name = "logfire", specifier = ">=0.30.0" },
@@ -819,20 +817,6 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/12/b3/231ffd4ab1fc9d679809f356cebee130ac7daa00d6d6f3206dd4fd137e9e/distro-1.9.0-py3-none-any.whl", hash = "sha256:7bffd925d65168f85027d8da9af6bddab658135b840670a223589bc0c8ef02b2", size = 20277 },
]
[[package]]
name = "docker"
version = "7.1.0"
source = { registry = "https://pypi.org/simple" }
dependencies = [
{ name = "pywin32", marker = "sys_platform == 'win32'" },
{ name = "requests" },
{ name = "urllib3" },
]
sdist = { url = "https://files.pythonhosted.org/packages/91/9b/4a2ea29aeba62471211598dac5d96825bb49348fa07e906ea930394a83ce/docker-7.1.0.tar.gz", hash = "sha256:ad8c70e6e3f8926cb8a92619b832b4ea5299e2831c14284663184e200546fa6c", size = 117834 }
wheels = [
{ url = "https://files.pythonhosted.org/packages/e3/26/57c6fb270950d476074c087527a558ccb6f4436657314bfb6cdf484114c4/docker-7.1.0-py3-none-any.whl", hash = "sha256:c96b93b7f0a746f9e77d325bcfb87422a3d8bd4f03136ae8a85b37f1898d5fc0", size = 147774 },
]
[[package]]
name = "ecdsa"
version = "0.19.1"
@@ -2263,10 +2247,6 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/1e/29/b53a9ca6cd366bfc928823679c6a76c7a4c69f8201c0ba7903ad18ebae2f/pydantic_core-2.41.4-cp314-cp314t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5729225de81fb65b70fdb1907fcf08c75d498f4a6f15af005aabb1fdadc19dfa", size = 2041183 },
{ url = "https://files.pythonhosted.org/packages/c7/3d/f8c1a371ceebcaf94d6dd2d77c6cf4b1c078e13a5837aee83f760b4f7cfd/pydantic_core-2.41.4-cp314-cp314t-win_amd64.whl", hash = "sha256:de2cfbb09e88f0f795fd90cf955858fc2c691df65b1f21f0aa00b99f3fbc661d", size = 1993542 },
{ url = "https://files.pythonhosted.org/packages/8a/ac/9fc61b4f9d079482a290afe8d206b8f490e9fd32d4fc03ed4fc698214e01/pydantic_core-2.41.4-cp314-cp314t-win_arm64.whl", hash = "sha256:d34f950ae05a83e0ede899c595f312ca976023ea1db100cd5aa188f7005e3ab0", size = 1973897 },
{ url = "https://files.pythonhosted.org/packages/c4/48/ae937e5a831b7c0dc646b2ef788c27cd003894882415300ed21927c21efa/pydantic_core-2.41.4-graalpy312-graalpy250_312_native-macosx_10_12_x86_64.whl", hash = "sha256:4f5d640aeebb438517150fdeec097739614421900e4a08db4a3ef38898798537", size = 2112087 },
{ url = "https://files.pythonhosted.org/packages/5e/db/6db8073e3d32dae017da7e0d16a9ecb897d0a4d92e00634916e486097961/pydantic_core-2.41.4-graalpy312-graalpy250_312_native-macosx_11_0_arm64.whl", hash = "sha256:4a9ab037b71927babc6d9e7fc01aea9e66dc2a4a34dff06ef0724a4049629f94", size = 1920387 },
{ url = "https://files.pythonhosted.org/packages/0d/c1/dd3542d072fcc336030d66834872f0328727e3b8de289c662faa04aa270e/pydantic_core-2.41.4-graalpy312-graalpy250_312_native-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e4dab9484ec605c3016df9ad4fd4f9a390bc5d816a3b10c6550f8424bb80b18c", size = 1951495 },
{ url = "https://files.pythonhosted.org/packages/2b/c6/db8d13a1f8ab3f1eb08c88bd00fd62d44311e3456d1e85c0e59e0a0376e7/pydantic_core-2.41.4-graalpy312-graalpy250_312_native-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bd8a5028425820731d8c6c098ab642d7b8b999758e24acae03ed38a66eca8335", size = 2139008 },
]
[[package]]