Skip to content

Document package advisory and external-network behavior before alpha release #14

Description

@Joncallim

Goal

Make DockerMap's package advisory, registry, and other external-network behavior explicit before the private-alpha release.

Plain-English Context

A server owner should know whether DockerMap ever talks to package registries, security advisory services, or outside APIs. This issue makes the project spell out what happens by default so reviewers can tell whether DockerMap stays local-only, needs opt-in network access, or has any release-blocking behavior to fix.

Roadmap Source

  • docs/planning/ROADMAP.md -> Now: Private Alpha Hardening -> Document package and advisory network behavior.
  • docs/release/RELEASE_CHECKLIST.md -> Execute After Next Commit -> decide and document package advisory, registry, or other external-network behavior.

Recommended Agent

Primary: docs-operator

Handoff note: if inspection finds code that performs registry, advisory, or external API calls by default, stop and hand off to runtime-provider or security-readonly for a code fix before documenting release readiness.

Scope

Target areas:

  • docs/deployment/DEPLOYMENT.md
  • docs/deployment/REVERSE_PROXY.md if network exposure or proxy behavior matters
  • docs/security/THREAT_MODEL.md
  • docs/testing/TESTING_PLAN.md
  • docs/release/RELEASE_CHECKLIST.md
  • release notes location if one already exists
  • provider code inspection only to verify the documented claim

Direction

  1. Inspect current npm/package, advisory, external API, Tailscale/Headscale, reverse-proxy, and DNS provider behavior.
  2. Identify whether any provider performs network egress by default.
  3. Document the default behavior in operator-facing terms: disabled, local-only, opt-in, or explicitly enabled.
  4. If any lookup is opt-in, document the setting, token handling, and expected network destination without including secrets.
  5. If any lookup is enabled by default and not already accepted by the roadmap/security model, open or note a blocking follow-up instead of presenting it as release-ready.
  6. Keep examples secret-free and avoid inline auth URLs.

Acceptance Criteria

  • Deployment and security docs state whether package registry, advisory, or external API calls are disabled, opt-in, or enabled by default.
  • Release checklist has a clear evidence item for the provider-network behavior note.
  • Testing docs explain how to verify provider-network behavior without relying on external secrets.
  • Any unresolved ambiguity is called out as a release blocker or follow-up, not buried in prose.
  • No docs example contains tokens, credentials, inline auth URLs, or real host-specific secrets.

Validation Commands

Run or record the narrowest useful checks:

  • rg -n "advisory|registry|external|network|Tailscale|Headscale|token|auth" docs crates apps packages
  • npm run test:js only if docs examples or scripts affect tested behavior

State any skipped commands and why.

Closure Evidence

When resolved, post a comment using the repository evidence format:

## Resolution Evidence
- What changed:
- Why this resolves the issue:
- How I checked it:
- Remaining risk or follow-up:

Recommendation: This issue appears resolved and can be closed by a maintainer.

Do not close the issue automatically.

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentation

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions