9
2
Fork
You've already forked platform
2
No description https://caution.co
  • Rust 69.9%
  • Vue 13.1%
  • Shell 10%
  • CSS 3%
  • Makefile 1.4%
  • Other 2.5%
2026年07月12日 21:50:13 -07:00
.cargo use crates for locksmith 2026年04月02日 13:16:40 -07:00
containerfiles dashboard: show platform commit baked in at build time via PLATFORM_GIT_SHA 2026年06月29日 16:51:33 +02:00
dist/cli cli: initial release 2026年05月29日 13:54:58 -07:00
frontend fix: simplify logout confirmation copy 2026年07月13日 12:45:19 +08:00
infra-bootstrap feat: add region routing and resource waitlist notification 2026年06月19日 11:53:36 -07:00
LICENSES Initial commit 2025年11月29日 07:42:39 -08:00
scripts billing: integrate paddle 2026年03月26日 09:28:56 -07:00
src fix: hide destroyed resources from app list 2026年07月13日 11:06:02 +08:00
systemd frontend: compact into gateway 2026年06月19日 03:05:47 -04:00
terraform/modules/aws/nitro-enclave terraform: skip host vsock proxy when egress disabled 2026年06月23日 10:25:26 +02:00
tests Merge remote-tracking branch 'origin/refs/pull/363/head' 2026年07月09日 10:54:18 -04:00
utils polish and test emails sender 2026年05月08日 14:11:38 -04:00
.dockerignore add cli builder for mac target 2026年04月23日 10:33:53 -07:00
.editorconfig Initial commit 2025年11月29日 07:42:39 -08:00
.gitignore gitignore: add .worktrees/ 2026年06月25日 16:30:05 +02:00
Cargo.lock api::deployment: add tofu lockfile cache 2026年07月09日 18:18:30 -04:00
Cargo.toml tests: add hcl-patcher 2026年06月24日 06:53:08 -04:00
CLA.md add CLA 2025年12月08日 12:49:17 -08:00
config.json add deploy billing gates, resource limits, and test mode guards 2026年03月31日 11:28:13 -07:00
config.json.example add deploy billing gates, resource limits, and test mode guards 2026年03月31日 11:28:13 -07:00
env.example fix(api): make billing domain configurable 2026年07月07日 05:02:51 +08:00
LICENSE Initial commit 2025年11月29日 07:42:39 -08:00
Makefile test(gateway): e2e for qr login consume; log consumed-session poll 2026年07月08日 17:44:48 +02:00
prices.json.example simplify billing 2026年04月23日 07:30:37 -07:00
README.md docs: refresh CLI install instructions 2026年07月09日 10:42:05 +08:00

GitHub users: This repo is mirrored from Codeberg. Please open issues and PRs there.

Hosted version: A hosted deployment is available in closed alpha at dashboard.caution.co. To request a registration code, contact info@caution.co.

Caution Platform

Warning: Alpha Software

This software is in early alpha. It may introduce backwards-incompatible changes, has not undergone security audits, and is not production ready. Use at your own risk.

This software is a cloud hosting management platform that builds and deploys verifiable secure enclaves using the AWS Nitro System, based on EnclaveOS.

Verifiable Enclaves

An enclave is verifiable when you can independently confirm that the code running inside it matches the source code you expect. This is achieved through:

  1. Reproducible builds — Reproducible builds force software to be bit-for-bit identical when built from the same source code, and eliminate certain categories of supply chain attacks. It allows for integrity verification, without which software is opaque and difficult to verify.
  2. Cryptographic attestation — The enclave hardware generates a signed attestation document containing measurements (PCR hashes) of the running code.
  3. Independent verification — You can compare your locally-built measurements against the attestation from a running enclave to prove they match.

Getting Started

Prerequisites

  • Docker with containerd enabled
  • GNU Make
  • Bash
  • x86_64 based system (Mac support coming soon)

1. Bootstrap AWS infrastructure

Follow the bootstrapping guide to create the required AWS infrastructure (S3 buckets, IAM user, DynamoDB table).

2. Run the platform

Set up .env file using the credentials from bootstrapping:

cp env.example $HOME/.config/caution/.env
# Edit .env with your AWS credentials and bucket names from bootstrapping

Install the CLI. The default target builds the release-style StageX CLI in Docker and installs it to $HOME/.local/bin/caution:

make install-cli

If you need local PC/SC support for locksmith shard submission, use the host-toolchain build instead:

make install-cli-untrusted

See src/cli/README.md for additional installation options, signature verification, and reproducible builds.

Start the platform services:

make up

3. Deploy an app

  1. Register using Passkey (via terminal or web browser):

    caution register
    
  2. Add an SSH key (can be done in browser as well):

    caution ssh-keys add --title <name_of_key> --key <pub_key_string>
    
  3. Initialize a project within a Dockerized repo:

    caution init
    

    This writes a caution.hcl template when one does not already exist and configures the caution git remote. Caution remote builds run Docker from the repository root, using build.containerfile when configured, then a repo-root Containerfile, then a repo-root Dockerfile. Put setup, compilation, asset builds, and runtime packaging in that Containerfile or Dockerfile so the build inputs are explicit and reproducible.

    The hello-world-enclave repo is a good test app to deploy.

  4. Build and deploy:

    git push caution main
    

4. Verify a deployed app

You can verify an enclave's attestation in two ways:

Option A: Reproduce and verify (recommended)

Fetches the attestation from the endpoint, rebuilds the enclave locally, and verifies the PCR hashes match. The attestation endpoint is available at https://<app-url>/attestation.

caution verify --attestation-url <attestation-url>

Option B: Verify against known PCR hashes

PCRs (Platform Configuration Registers) are cryptographic measurements of the enclave's code and configuration. If you already have the expected PCR hashes, you can verify against a file:

# Create a file with expected PCR hashes
cat pcrs.txt
PCR0: 3c07ec536432532f86b8c735b740f0d67a8b115e4a5e20cc8ecbb4e6a8335fe016bf42693b18e8560e299636afa8dc84
PCR1: 3c07ec536432532f86b8c735b740f0d67a8b115e4a5e20cc8ecbb4e6a8335fe016bf42693b18e8560e299636afa8dc84
PCR2: 21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a
caution verify --pcrs pcrs.txt

Reference

Limitations

  • AWS Nitro Enclaves only
  • Requires x86_64 architecture for enclave builds
  • Docker BuildKit required for reproducible builds
  • Attestation verification requires network access to the enclave endpoint

Coming soon

  • Other TEE platforms (TDX, SEV)
  • Other major cloud platforms and baremetal
  • Alternate OCI runtime support (Podman)

License

Dual-licensed under AGPL-3.0 and a commercial license. See LICENSE for details. Contact info@caution.co to obtain a commercial license.