{"id":35203915,"url":"https://github.com/hyperpolymath/project-wharf","last_synced_at":"2025-12-29T13:04:39.303Z","repository":{"id":326250261,"uuid":"1104662051","full_name":"hyperpolymath/project-wharf","owner":"hyperpolymath","description":"Project Wharf approaches Content Management System (CMS) security that separates administration from runtime. Instead of plugins with full system access running on your live site, Wharf uses an offline controller (the Wharf) and read-only runtime (the Yacht) connected via a Zero Trust mesh network.","archived":false,"fork":false,"pushed_at":"2025-12-25T14:16:22.000Z","size":210,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-12-26T10:28:15.058Z","etag":null,"topics":["devops-tools","rhodium-standard"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hyperpolymath.png","metadata":{"files":{"readme":"README.adoc","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.adoc","funding":".github/FUNDING.yml","license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.adoc","threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":null,"security":"SECURITY.md","support":null,"governance":"GOVERNANCE.adoc","roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":"codemeta.json","zenodo":null,"notice":null,"maintainers":"MAINTAINERS.md","copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"hyperpolymath"}},"created_at":"2025-11-26T14:11:37.000Z","updated_at":"2025-12-25T14:16:27.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/hyperpolymath/project-wharf","commit_stats":null,"previous_names":["hyperpolymath/wharf","hyperpolymath/project-wharf"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/hyperpolymath/project-wharf","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hyperpolymath%2Fproject-wharf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hyperpolymath%2Fproject-wharf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hyperpolymath%2Fproject-wharf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hyperpolymath%2Fproject-wharf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hyperpolymath","download_url":"https://codeload.github.com/hyperpolymath/project-wharf/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hyperpolymath%2Fproject-wharf/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28116444,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-29T02:00:07.021Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devops-tools","rhodium-standard"],"created_at":"2025-12-29T13:04:26.910Z","updated_at":"2025-12-29T13:04:36.938Z","avatar_url":"https://github.com/hyperpolymath.png","language":"Rust","funding_links":["https://github.com/sponsors/hyperpolymath"],"categories":[],"sub_categories":[],"readme":"= Project Wharf\n\nimage:https://img.shields.io/badge/license-AGPL--3.0-blue.svg[AGPL-3.0,link=\"https://www.gnu.org/licenses/agpl-3.0\"] image:https://img.shields.io/badge/philosophy-Palimpsest-purple.svg[Palimpsest,link=\"https://github.com/hyperpolymath/palimpsest-licence\"]\n:toc: left\n:toclevels: 3\n:icons: font\n:source-highlighter: highlight.js\n\n== The Sovereign Web Hypervisor\n\nimage::docs/wharf-architecture.png[Wharf Architecture,align=\"center\"]\n\n*Wharf* is a revolutionary approach to Content Management System (CMS) security that separates administration from runtime. Instead of plugins with full system access running on your live site, Wharf uses an *offline controller* (the Wharf) and a *read-only runtime* (the Yacht) connected via a Zero Trust mesh network.\n\n=== Core Philosophy\n\n[quote]\nThe gun should not be in the safe.\n\nTraditional CMS security is like storing the vault's drill, dynamite, and blueprints *inside* the vault. If an attacker gets in, they use your own tools against you.\n\nWharf inverts this:\n\n* *The Yacht (Live Site)*: A neutered runtime. It serves content but cannot install plugins, edit code, or change configuration.\n* *The Wharf (Controller)*: Your offline workshop. It holds the keys, runs diagnostics, and makes all administrative decisions.\n* *The Mooring*: A cryptographically secured connection that temporarily allows the Wharf to sync state to the Yacht.\n\n== Architecture\n\n[source]\n----\n      THE WHARF (Offline Controller)               THE YACHT (Online Runtime)\n    +--------------------------------+          +------------------------------+\n    | [Physical/Local Hardware]      |          | [Cloud/Edge Server]          |\n    |                                |          |                              |\n    |  1. IDENTITY (The Keys)        |          |  4. THE SHIELD (Rust Agent)  |\n    |     • Nitrokey / FIDO2         |          |     • eBPF Force Field       |\n    |     • Argon2id + LUKS          |          |     • Header Airlock         |\n    |                                |          |     • DB Proxy (AST Aware)   |\n    |  2. INTENT (The Brain)         |          |                              |\n    |     • Nickel Config Schema     |          |  5. THE PAYLOAD (Legacy)     |\n    |     • Nebula CA (Offline)      |          |     • WordPress / Drupal     |\n    |     • Rust Compiler            |          |     • Read-Only Filesystem   |\n    |                                |          |     • Ephemeral RAM Disk     |\n    +---------------+----------------+          +--------------+---------------+\n                    |                                          |\n                    |         THE MOORING (Zero Trust)         |\n                    |                                          |\n                    +==========================================+\n                    |  • Hidden UDP Port (Nebula Mesh)         |\n                    |  • Mutual TLS (mTLS)                     |\n                    |  • Invisible to Public Internet          |\n                    +==========================================+\n----\n\n== Key Features\n\n=== Database \"Virtual Sharding\"\n\nThe Yacht Agent acts as a SQL proxy, parsing queries using an *Abstract Syntax Tree* (not regex!) to enforce security policies:\n\n* *Mutable Tables* (Blue Zone): Content like comments and orders—allowed to write\n* *Immutable Tables* (Red Zone): Config like users and plugins—blocked unless from Wharf\n* *Hybrid Tables* (Grey Zone): Mixed content like `wp_options`—conditional rules\n\n[source,sql]\n----\n-- ALLOWED: User comment\nINSERT INTO wp_comments (comment_content) VALUES ('Great post!')\n\n-- BLOCKED: New admin user\nINSERT INTO wp_users (user_login, user_pass) VALUES ('hacker', 'password')\n-- Error: Policy violation: write to immutable table 'wp_users'\n----\n\n=== Filesystem Immutability\n\nThe Yacht filesystem is mounted read-only with specific writable \"playgrounds\":\n\n|===\n| Path | Type | Purpose\n\n| `/wp-content/uploads` | Persistent, No PHP | User media files\n| `/wp-content/cache` | RAM Disk (tmpfs) | Temporary cache—wipes on restart\n| `/wp-content/plugins` | OverlayFS | \"The Lie\"—plugins think they write, but it's ephemeral\n|===\n\n=== HTTP Header Airlock\n\nA Rust-based HTTP proxy strips dangerous headers and injects security headers:\n\n[source]\n----\n# Stripped (Information Leakage)\n- Server: Apache/2.4.41\n- X-Powered-By: PHP/8.1\n\n# Injected (Security Hardening)\n+ Cross-Origin-Opener-Policy: same-origin\n+ Cross-Origin-Embedder-Policy: require-corp\n+ Permissions-Policy: camera=(), microphone=()\n----\n\n=== Zero Trust Networking (Nebula)\n\nAdmin ports are *invisible* to the public internet. The Yacht's management API (port 9000) only responds to devices with valid Nebula certificates.\n\n== Quick Start\n\n=== Prerequisites\n\n* Rust (via rustup)\n* Podman (or Docker)\n* Just (command runner)\n* Optional: Nebula, named-checkzone (bind-utils)\n\n=== Installation\n\n[source,bash]\n----\n# Clone the repository\ngit clone https://gitlab.com/hyperpolymath/wharf.git\ncd wharf\n\n# Initialize the workspace\njust init\n\n# Build everything\njust build\n----\n\n=== Basic Usage\n\n[source,bash]\n----\n# Create zone file variables\ncat \u003e vars/example.json \u003c\u003c 'EOF'\n{\n  \"domain\": \"example.com\",\n  \"ip\": \"192.0.2.1\",\n  \"ipv6\": \"2001:db8::1\",\n  \"nameserver\": \"ns1.example.com\",\n  \"nameserver2\": \"ns2.example.com\",\n  \"rpemail\": \"hostmaster.example.com\",\n  \"serial\": \"2025112601\",\n  \"ttl\": \"3600\",\n  \"nsttl\": \"86400\"\n}\nEOF\n\n# Build DNS zone files\njust build-zones\n\n# Audit the generated zone\njust audit-zone dist/example.db example.com\n\n# Detect if dedicated or shared hosting\njust detect-env example.com 192.0.2.1\n----\n\n== DNS Zone Templates\n\nWharf includes four DNS templates for different environments:\n\n|===\n| Template | Use Case | Key Difference\n\n| `simple.tpl` | Modern minimum viable | Basic records + email deliverability (SPF, DMARC, CAA)\n| `shared.tpl` | Shared/Virtual hosting | Uses CNAMEs, includes provider SPF, no SSHFP\n| `standard.tpl` | Dedicated IP | Explicit FTP A record, full control\n| `maximalist.tpl` | Enterprise/Security-focused | DANE, SSHFP, OPENPGPKEY, HTTPS/SVCB, LOC\n|===\n\n== CMS Adapters\n\nWharf includes adapters for popular CMS platforms:\n\n=== WordPress\n\n[source,bash]\n----\n# Copy the DB proxy drop-in\ncp adapters/wordpress/db.php /var/www/html/wp-content/db.php\n\n# The Yacht Agent must be running on 127.0.0.1:3307\n----\n\n=== Drupal\n\n[source,bash]\n----\n# Include the settings override\necho \"include_once '/opt/wharf/adapters/drupal/settings.php';\" \u003e\u003e sites/default/settings.php\n----\n\n=== Others\n\n* Joomla (adapter included)\n* Moodle (adapter included)\n* Generic LAMP (customizable adapter)\n\n== Security Model\n\n=== Threat Model\n\nWharf assumes:\n\n* The live server (Yacht) is *hostile territory*\n* Attackers may have SQL injection or file upload vulnerabilities\n* Network is *untrusted* (even internal networks)\n\n=== Protections\n\n|===\n| Attack Vector | Wharf Defense\n\n| SQL Injection → New Admin User | Database proxy blocks writes to `wp_users`\n| File Upload → PHP Shell | Uploads directory has `php_flag engine off`\n| Plugin Backdoor | Plugins directory is read-only (OverlayFS)\n| Config Tampering | `wp-config.php` changes trigger instant revert\n| Network Sniffing | Nebula mesh encrypts all admin traffic\n|===\n\n== Configuration Reference\n\nWharf uses https://nickel-lang.org/[Nickel] for declarative configuration:\n\n* `configs/fleet.ncl` - Define your Yachts\n* `configs/policies/database.ncl` - Database virtual sharding rules\n* `configs/policies/airlock.ncl` - HTTP header rules\n* `configs/policies/filesystem.ncl` - File immutability policies\n* `configs/policies/auth.ncl` - FIDO2 and session policies\n* `configs/policies/network.ncl` - Nebula mesh and firewall rules\n\n== Justfile Commands\n\n[source]\n----\njust init              # Initialize workspace\njust build             # Compile everything\njust moor \u003ctarget\u003e     # Connect to a Yacht\njust audit \u003ctarget\u003e    # Security audit\njust gen-nebula-ca     # Generate mesh CA\njust gen-yacht-cert    # Generate Yacht certificate\njust gen-email-records # Generate SPF/DKIM/DMARC\njust deploy-yacht      # Deploy agent to server\n----\n\n== Contributing\n\nContributions are welcome! Please ensure:\n\n1. Code passes `just lint` and `just fmt-check`\n2. Tests pass with `just test`\n3. Security-sensitive changes are documented\n\n== License\n\nMIT License. See LICENSE file for details.\n\n== Credits\n\n* Concept by Jonathan D. A. Jewell (@hyperpolymath)\n* Built with Rust, Nickel, Nebula, and Podman\n\n---\n\n[quote, Project Wharf Manifesto]\n\"The admin panel has no place on the production server.\"\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhyperpolymath%2Fproject-wharf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhyperpolymath%2Fproject-wharf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhyperpolymath%2Fproject-wharf/lists"}