Goal
Make DockerMap's package advisory, registry, and other external-network behavior explicit before the private-alpha release.
Plain-English Context
A server owner should know whether DockerMap ever talks to package registries, security advisory services, or outside APIs. This issue makes the project spell out what happens by default so reviewers can tell whether DockerMap stays local-only, needs opt-in network access, or has any release-blocking behavior to fix.
Roadmap Source
docs/planning/ROADMAP.md -> Now: Private Alpha Hardening -> Document package and advisory network behavior.
docs/release/RELEASE_CHECKLIST.md -> Execute After Next Commit -> decide and document package advisory, registry, or other external-network behavior.
Recommended Agent
Primary: docs-operator
Handoff note: if inspection finds code that performs registry, advisory, or external API calls by default, stop and hand off to runtime-provider or security-readonly for a code fix before documenting release readiness.
Scope
Target areas:
docs/deployment/DEPLOYMENT.md
docs/deployment/REVERSE_PROXY.md if network exposure or proxy behavior matters
docs/security/THREAT_MODEL.md
docs/testing/TESTING_PLAN.md
docs/release/RELEASE_CHECKLIST.md
- release notes location if one already exists
- provider code inspection only to verify the documented claim
Direction
- Inspect current npm/package, advisory, external API, Tailscale/Headscale, reverse-proxy, and DNS provider behavior.
- Identify whether any provider performs network egress by default.
- Document the default behavior in operator-facing terms: disabled, local-only, opt-in, or explicitly enabled.
- If any lookup is opt-in, document the setting, token handling, and expected network destination without including secrets.
- If any lookup is enabled by default and not already accepted by the roadmap/security model, open or note a blocking follow-up instead of presenting it as release-ready.
- Keep examples secret-free and avoid inline auth URLs.
Acceptance Criteria
- Deployment and security docs state whether package registry, advisory, or external API calls are disabled, opt-in, or enabled by default.
- Release checklist has a clear evidence item for the provider-network behavior note.
- Testing docs explain how to verify provider-network behavior without relying on external secrets.
- Any unresolved ambiguity is called out as a release blocker or follow-up, not buried in prose.
- No docs example contains tokens, credentials, inline auth URLs, or real host-specific secrets.
Validation Commands
Run or record the narrowest useful checks:
rg -n "advisory|registry|external|network|Tailscale|Headscale|token|auth" docs crates apps packages
npm run test:js only if docs examples or scripts affect tested behavior
State any skipped commands and why.
Closure Evidence
When resolved, post a comment using the repository evidence format:
## Resolution Evidence
- What changed:
- Why this resolves the issue:
- How I checked it:
- Remaining risk or follow-up:
Recommendation: This issue appears resolved and can be closed by a maintainer.
Do not close the issue automatically.
Goal
Make DockerMap's package advisory, registry, and other external-network behavior explicit before the private-alpha release.
Plain-English Context
A server owner should know whether DockerMap ever talks to package registries, security advisory services, or outside APIs. This issue makes the project spell out what happens by default so reviewers can tell whether DockerMap stays local-only, needs opt-in network access, or has any release-blocking behavior to fix.
Roadmap Source
docs/planning/ROADMAP.md-> Now: Private Alpha Hardening -> Document package and advisory network behavior.docs/release/RELEASE_CHECKLIST.md-> Execute After Next Commit -> decide and document package advisory, registry, or other external-network behavior.Recommended Agent
Primary:
docs-operatorHandoff note: if inspection finds code that performs registry, advisory, or external API calls by default, stop and hand off to
runtime-providerorsecurity-readonlyfor a code fix before documenting release readiness.Scope
Target areas:
docs/deployment/DEPLOYMENT.mddocs/deployment/REVERSE_PROXY.mdif network exposure or proxy behavior mattersdocs/security/THREAT_MODEL.mddocs/testing/TESTING_PLAN.mddocs/release/RELEASE_CHECKLIST.mdDirection
Acceptance Criteria
Validation Commands
Run or record the narrowest useful checks:
rg -n "advisory|registry|external|network|Tailscale|Headscale|token|auth" docs crates apps packagesnpm run test:jsonly if docs examples or scripts affect tested behaviorState any skipped commands and why.
Closure Evidence
When resolved, post a comment using the repository evidence format:
Do not close the issue automatically.