docs: enumerate RELICARIO_* env vars in SECURITY.md (audit S3)
Adds a "Configuration env vars" section listing every RELICARIO_* variable read by production code, with purpose and trust boundary. Splits user-facing vars from debug-only ones (cfg(debug_assertions)) to make the attack surface explicit for security reviewers. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
adlee-was-taken
@@ -59,3 +59,34 @@ Without device authentication, access control is transport-layer only:
|
||||
|
||||
Device registration was optional before v0.4.0. With device auth enabled,
|
||||
all commits must be signed by a registered device.
|
||||
|
||||
## Configuration env vars
|
||||
|
||||
Relicario reads the following environment variables. Each is a trust
|
||||
boundary: an attacker who can set them in the user's environment can
|
||||
influence Relicario's behavior. They are listed here for security
|
||||
reviewers to audit the surface in one place.
|
||||
|
||||
### User-facing (active in all builds)
|
||||
|
||||
| Variable | Purpose | Trust |
|
||||
|---|---|---|
|
||||
| `RELICARIO_IMAGE` | Override the reference-image JPEG path used during vault unlock. | Trusted: filesystem path under the user's control. Read-only; its bytes feed `imgsecret::extract_secret`. |
|
||||
| `RELICARIO_GITEA_URL` | Gitea API base URL for `relicario device add`. Equivalent to `--gitea-url`. | Trusted: HTTPS URL. Used only in the device-add code path. |
|
||||
| `RELICARIO_GITEA_TOKEN` | Gitea personal-access token. Equivalent to `--gitea-token`. | **Secret**: anyone who can read this env var can manage the user's deploy keys via the Gitea API. The CLI never logs it. |
|
||||
| `RELICARIO_GITEA_OWNER` | Gitea repository owner (e.g. `alee`). Equivalent to `--owner`. | Trusted: opaque string. |
|
||||
| `RELICARIO_GITEA_REPO` | Gitea repository name (e.g. `vault`). Equivalent to `--repo`. | Trusted: opaque string. |
|
||||
|
||||
### Debug-only (compiled out of `cargo build --release`)
|
||||
|
||||
The following variables are gated behind `cfg(debug_assertions)` and
|
||||
are **no-ops** in release builds. The env-var lookup is removed by the
|
||||
optimiser from any binary built without debug assertions (i.e. the
|
||||
standard `--release` profile).
|
||||
|
||||
| Variable | Purpose |
|
||||
|---|---|
|
||||
| `RELICARIO_NO_GROUPS_CACHE` | Suppress the plaintext `groups.cache` write. Developer debugging tool for the cache logic. |
|
||||
| `RELICARIO_TEST_PASSPHRASE` | Bypass the `rpassword` prompt during integration tests. |
|
||||
| `RELICARIO_TEST_ITEM_SECRET` | Bypass the `rpassword` prompt for item-secret fields during integration tests. |
|
||||
| `RELICARIO_TEST_BACKUP_PASSPHRASE` | Bypass the `rpassword` prompt for backup export/restore passphrases during integration tests. |
|
||||
|
||||
Reference in New Issue
Block a user