1
0
Fork
You've already forked platform
0
forked from caution/platform
No description
  • Rust 67.2%
  • Vue 15.1%
  • Shell 10.2%
  • CSS 3.5%
  • Makefile 1.7%
  • Other 2.3%
2026年06月12日 19:23:48 -04:00
.cargo use crates for locksmith 2026年04月02日 13:16:40 -07:00
containerfiles Containerfile.cli: fix determinisim related time stamp issue and add 2026年05月29日 13:10:22 -07:00
dist/cli cli: initial release 2026年05月29日 13:54:58 -07:00
frontend fronted: tighten vite production config 2026年05月15日 12:09:08 -07:00
infra-bootstrap improve builder bootstrap 2026年04月09日 14:13:38 -07:00
LICENSES Initial commit 2025年11月29日 07:42:39 -08:00
scripts billing: integrate paddle 2026年03月26日 09:28:56 -07:00
src cli: add command to download EIFs 2026年06月12日 19:23:48 -04:00
terraform/modules/aws/nitro-enclave terraform: gate enclave console capture on debug mode 2026年06月02日 15:29:13 -07:00
tests tests: e2e coverage for keygen signing subkey and keyring normalization 2026年06月12日 11:38:57 +02:00
utils polish and test emails sender 2026年05月08日 14:11:38 -04:00
.dockerignore add cli builder for mac target 2026年04月23日 10:33:53 -07:00
.editorconfig Initial commit 2025年11月29日 07:42:39 -08:00
.gitignore .gitignore: add AGENTS.md and patch files 2026年06月10日 15:45:12 -07:00
Cargo.lock cli: add command to download EIFs 2026年06月12日 19:23:48 -04:00
Cargo.toml api: add endpoint for downloading EIFs 2026年06月12日 18:31:42 -04:00
CLA.md add CLA 2025年12月08日 12:49:17 -08:00
config.json add deploy billing gates, resource limits, and test mode guards 2026年03月31日 11:28:13 -07:00
config.json.example add deploy billing gates, resource limits, and test mode guards 2026年03月31日 11:28:13 -07:00
env.example api::main.rs: increase default healthcheck timout 2026年05月21日 15:02:06 -07:00
LICENSE Initial commit 2025年11月29日 07:42:39 -08:00
Makefile fix(cli): update brew install hints to use nettle@3 on macOS 2026年06月09日 21:13:36 +02:00
prices.json.example simplify billing 2026年04月23日 07:30:37 -07:00
README.md builder: Remove user-controlled remote build commands and run a fixed Docker build from a validated Containerfile/Dockerfile path. Also restrict EC2 metadata responses to one hop so Docker build containers cannot reach builder instance credentials. 2026年05月27日 10:00:48 -07:00

GitHub users: This repo is mirrored from Codeberg. Please open issues and PRs there.

Hosted version: A hosted deployment is available in closed alpha at dashboard.caution.co. To request a registration code, contact info@caution.co.

Caution Platform

Warning: Alpha Software

This software is in early alpha. It may introduce backwards-incompatible changes, has not undergone security audits, and is not production ready. Use at your own risk.

This software is a cloud hosting management platform that builds and deploys verifiable secure enclaves using the AWS Nitro System, based on EnclaveOS.

Verifiable Enclaves

An enclave is verifiable when you can independently confirm that the code running inside it matches the source code you expect. This is achieved through:

  1. Reproducible builds — Reproducible builds force software to be bit-for-bit identical when built from the same source code, and eliminate certain categories of supply chain attacks. It allows for integrity verification, without which software is opaque and difficult to verify.
  2. Cryptographic attestation — The enclave hardware generates a signed attestation document containing measurements (PCR hashes) of the running code.
  3. Independent verification — You can compare your locally-built measurements against the attestation from a running enclave to prove they match.

Getting Started

Prerequisites

  • Docker with containerd enabled
  • GNU Make
  • x86_64 based system (Mac support coming soon)

1. Bootstrap AWS infrastructure

Follow the bootstrapping guide to create the required AWS infrastructure (S3 buckets, IAM user, DynamoDB table).

2. Run the platform

Set up .env file using the credentials from bootstrapping:

cp env.example .env
# Edit .env with your AWS credentials and bucket names from bootstrapping

Install the CLI:

make install-cli

See src/cli/README.md for additional installation options including signature verification and reproducible builds.

Start the platform services:

make up

3. Deploy an app

  1. Register using Passkey (via terminal or web browser):

    caution register
    
  2. Add an SSH key (can be done in browser as well):

    caution ssh-keys add --title <name_of_key> --key <pub_key_string>
    
  3. Initialize a project within a Dockerized repo:

    caution init
    

    You may need to adjust the Procfile. Caution remote builds run Docker from the repository root; your app should build with docker build -f <file> .. Put setup, compilation, and asset build steps in the Dockerfile or Containerfile.

    The hello-world-enclave repo is a good test app to deploy.

  4. Build and deploy:

    git push caution main
    

4. Verify a deployed app

You can verify an enclave's attestation in two ways:

Option A: Reproduce and verify (recommended)

Fetches the attestation from the endpoint, rebuilds the enclave locally, and verifies the PCR hashes match. The attestation endpoint is available at https://<app-url>/attestation.

caution verify --attestation-url <attestation-url>

Option B: Verify against known PCR hashes

PCRs (Platform Configuration Registers) are cryptographic measurements of the enclave's code and configuration. If you already have the expected PCR hashes, you can verify against a file:

# Create a file with expected PCR hashes
cat pcrs.txt
PCR0: 3c07ec536432532f86b8c735b740f0d67a8b115e4a5e20cc8ecbb4e6a8335fe016bf42693b18e8560e299636afa8dc84
PCR1: 3c07ec536432532f86b8c735b740f0d67a8b115e4a5e20cc8ecbb4e6a8335fe016bf42693b18e8560e299636afa8dc84
PCR2: 21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a
caution verify --pcrs pcrs.txt

Reference

Limitations

  • AWS Nitro Enclaves only
  • Requires x86_64 architecture for enclave builds
  • Docker BuildKit required for reproducible builds
  • Attestation verification requires network access to the enclave endpoint

Coming soon

  • Other TEE platforms (TDX, SEV)
  • Other major cloud platforms and baremetal
  • Alternate OCI runtime support (Podman)

License

Dual-licensed under AGPL-3.0 and a commercial license. See LICENSE for details. Contact info@caution.co to obtain a commercial license.