Readme & Docs Revamp #423
Readme & Docs Revamp #423
Conversation
- Add ALCHEMY_API_KEY to prerequisites and deploy command - Add KMS_CONTRACT_ADDRESS export after deployment (critical fix) - Clarify KMS_CONTRACT_ADDR vs KMS_CONTRACT_ADDRESS usage - Add sample outputs for all commands - Add compose hash computation instructions - Add cross-references to related docs - Writing guide: add procedural documentation section 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Add auth-simple as a production-ready alternative to auth-eth for operators who prefer config-file-based whitelisting over on-chain governance. New components: - kms/auth-simple/: Hono-based webhook server with Zod validation - kms/dstack-app/compose-simple.yaml: KMS compose for external auth - kms/dstack-app/deploy-simple.sh: Deploy script for auth-simple mode Auth server ecosystem: - auth-simple: Config-file whitelisting (production, centralized) - auth-eth: Smart contract governance (production, decentralized) - auth-mock: Always allows (dev/testing only) Documentation: - docs/deployment.md: Simplified auth-simple config for initial deploy - docs/auth-simple-operations.md: Day-to-day operations guide 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
The http-client-unix-domain-socket library requires a Host header for HTTP/1.1 requests over Unix sockets. Without it, requests return 400 Bad Request. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
SDK Documentation: - Rewrite all SDK READMEs (Python, JS, Rust, Go) for concise style - Add HTTP API reference section to sdk/README.md - Fix curl API docs (invalid JSON, mark Sign/Verify as unreleased) - Test all SDK code snippets against live dstack.sock Main README: - Add chat.redpill.ai as "Try it now" entry point - Add HTTP API link in SDKs section Security Documentation: - Split security.md into security-model.md and security-best-practices.md - Update AI docs (inference, agents, training) for TEE-agnostic language 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Consolidate inference, training, and agents docs into a single confidential-ai.md guide. Covers the four protection layers (TLS in CVM, CPU memory, GPU memory, disk encryption), includes mermaid diagrams, and links to working examples. Also update WRITING_GUIDE.md with generic documentation principles. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Use Cases: point to single confidential-ai.md instead of separate inference.md, agents.md, training.md - Fix security.md → security-model.md (file was renamed) - Add security-best-practices.md to Reference section - Delete old docs: inference.md, agents.md, training.md 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Add .agent/GPU_TEE_DEPLOYMENT.md with learnings from deploying GPU workloads to Phala Cloud: - Instance types (tdx.* for CPU, h200.* for GPU) - Docker Compose GPU configuration - vLLM and vllm-proxy setup - Debugging commands and common issues 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| info!("fetching known public keys from {}", acme_info_url); | ||
|
|
||
| let client = reqwest::Client::builder() | ||
| .danger_accept_invalid_certs(true) // TODO: Use RA-TLS verification |
Check failure
Code scanning / CodeQL
Disabled TLS certificate check High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 9 hours ago
In general, the fix is to stop disabling TLS certificate validation. Instead of passing true to danger_accept_invalid_certs, we should either omit the call entirely (letting the default secure behavior stand) or pass false explicitly. This preserves existing functionality except for enforcing proper TLS validation, which is the intended secure behavior. If RA-TLS or custom certificate pinning is needed, it should be layered on top of the standard checks, not by disabling them.
For this specific code in ct_monitor/src/main.rs, the simplest and safest change is to remove the .danger_accept_invalid_certs(true) call from the client builder in refresh_known_keys. reqwest::Client::builder() uses secure defaults, including full certificate and hostname verification via the underlying TLS stack, so no additional configuration is required to restore security. This is a minimal code change, does not affect any other logic in refresh_known_keys, and matches the “GOOD” example provided in the background. The comment // TODO: Use RA-TLS verification can either be removed or left in place; if left, it should sit above the builder chain rather than attached to a now-nonexistent method call.
Concretely:
- In
ct_monitor/src/main.rs, inimpl Monitor { async fn refresh_known_keys(...), update thelet client = reqwest::Client::builder()expression to remove the.danger_accept_invalid_certs(true)line. - No new imports or helper methods are needed;
reqwestis already in use and its secure defaults suffice.
| @@ -56,8 +56,8 @@ | ||
| let acme_info_url = format!("{}/acme-info", self.gateway_uri.trim_end_matches('/')); | ||
| info!("fetching known public keys from {}", acme_info_url); | ||
|
|
||
| // TODO: Use RA-TLS verification | ||
| let client = reqwest::Client::builder() | ||
| .danger_accept_invalid_certs(true) // TODO: Use RA-TLS verification | ||
| .build() | ||
| .context("failed to build http client")?; | ||
|
|
This PR revamps the readme and docs in dstack repo with the following goals: