Security
Current Security Posture
Section titled “Current Security Posture”Wakeplane currently has no authentication or RBAC.
Any process that can reach the HTTP port can read schedules, list runs, create schedules, trigger runs, delete schedules, and access run receipts.
Required: Bind To A Trusted Network
Section titled “Required: Bind To A Trusted Network”Do not expose Wakeplane directly to the public internet or to untrusted networks.
Acceptable deployment patterns right now:
- Loopback only
- Trusted subnet
- VPN or overlay network
- Reverse-proxied private network
Not acceptable:
- Binding to
0.0.0.0and exposing the port publicly - Deploying without a network boundary and assuming internal access is enough
Intended Use Right Now
Section titled “Intended Use Right Now”Wakeplane is intended for:
- embedded or internal operator-controlled systems
- private control planes
- trusted environments where network access is already constrained
It does not provide:
- Authentication
- Authorization or RBAC
- Audit logging at the API layer
- Native TLS
- Multi-tenancy
Responsible Disclosure
Section titled “Responsible Disclosure”See SECURITY.md in the repo root for reporting guidance.