Security

A factual summary of the controls present in the repository and the security work that remains with each self-hosting operator.

Shared responsibility

Kuayle supplies application code and a reference Docker Compose deployment. Instance operators control the host, DNS, network rules, secrets, backups, monitoring and update schedule. Review the source and configuration against your security requirements before production use.

  • Kuayle: application code, migrations and reference configuration
  • Operator: host hardening, firewall, DNS, secrets and access logs
  • Operator: database, upload and certificate backups
  • Operator: testing and applying updates

Authentication

Kuayle hashes passwords with bcrypt. Authentication uses signed access and refresh tokens; refresh-token hashes and expiry times are stored in PostgreSQL. Set a unique JWT_SECRET of at least 32 characters before starting the backend.

  • Access and refresh tokens signed with JWT_SECRET
  • Passwords hashed with bcrypt before storage
  • Expiring access and refresh tokens
  • Role-based access control: Owner, Admin, Member, Guest

Transport security

The reference deployment exposes Caddy on ports 80 and 443. Caddy obtains and renews TLS certificates when DOMAIN points to the server and the host is reachable. PostgreSQL, Redis and the application containers remain on the internal Compose network unless you alter the configuration.

  • Caddy reverse proxy with automatic Let's Encrypt TLS
  • Public ingress through Caddy on ports 80 and 443
  • PostgreSQL and Redis have no published host ports in the reference Compose file
  • TLS depends on correct DNS and network configuration

Stored data and credentials

Application records are stored in PostgreSQL. Uploads use either a Docker volume or an S3-compatible backend. Per-workspace GitHub App credentials are encrypted with AES-256-GCM using a key derived from the configured secret. Disk-level encryption and backup encryption are operator decisions.

  • PostgreSQL for application records and token hashes
  • Local volume or S3-compatible storage for uploads
  • AES-256-GCM for stored GitHub App credentials
  • No built-in backup scheduler: back up the database, uploads and Caddy state externally

Reporting vulnerabilities

If you discover a security vulnerability in Kuayle, please report it responsibly. Do not open a public issue. Send the affected version, reproduction steps, impact, and any suggested mitigation to support@bakney.com.

  • Report to: support@bakney.com
  • Do not disclose publicly until a fix is available
  • Allow time to investigate and prepare a fix before public disclosure
  • Include only the minimum sensitive data needed to reproduce the issue

Updates and dependency checks

The repository runs backend tests, frontend checks and security scanning in GitHub Actions. The self-hosting update script fetches the current branch, rebuilds the backend and frontend containers, recreates the application services and applies database migrations.

  • CI configuration is public under .github/workflows
  • Update flow rebuilds images and applies migrations
  • Review release changes and back up data before updating
  • No published uptime or patch-response SLA

Review Kuayle before you deploy it

Inspect the Apache 2.0 source, then follow the Docker Compose guide to run an instance on your infrastructure.