caution/platform
5
0
Fork 0
Code Issues 26 Pull requests 3 Wiki Activity
No description
176 commits 16 branches 0 tags 3.1 MiB
  • Rust 58.5%
  • Vue 21.9%
  • CSS 9.3%
  • Shell 3.8%
  • PLpgSQL 2%
  • Other 4.5%
Find a file
Image Anton Livaja 6deccf1e65
Image
Merge remote-tracking branch 'origin/fix/ssh-lookup'
2026-01-31 15:15:59 -08:00
containerfiles pin unpinned deps 2026-01-31 15:15:22 -08:00
frontend Merge remote-tracking branch 'origin/navbar' 2026-01-31 11:09:00 -08:00
infra-bootstrap docs refinements for clarity 2025-12-06 20:52:48 -05:00
LICENSES Initial commit 2025-11-29 07:42:39 -08:00
src pin unpinned deps 2026-01-31 15:15:22 -08:00
terraform/modules/aws add support for managed on-premises deployments 2026-01-08 21:31:18 -08:00
utils add uncommited parts of admin script 2026-01-21 13:49:21 -08:00
.editorconfig Initial commit 2025-11-29 07:42:39 -08:00
.gitignore clean up caching location 2025-12-12 16:32:08 -08:00
Cargo.lock switch dterror to point to crates 2026-01-29 11:09:16 -08:00
Cargo.toml integrate feedback and improve auth implementation 2026-01-28 20:40:37 -08:00
CLA.md add CLA 2025-12-08 12:49:17 -08:00
env.example add internal service auth 2025-12-23 21:32:46 -08:00
LICENSE Initial commit 2025-11-29 07:42:39 -08:00
Makefile add admin script 2026-01-18 11:46:46 -08:00
README.md add new CLI installation instructions 2026-01-09 15:08:56 -08:00

README.md

GitHub users: This repo is mirrored from Codeberg. Please open issues and PRs there.

Hosted version: A hosted deployment is available in closed alpha at alpha.caution.co. To request a registration code, contact info@caution.co.

Caution Platform

Warning: Alpha Software

This software is in early alpha. It may introduce backwards-incompatible changes, has not undergone security audits, and is not production ready. Use at your own risk.

This software is a cloud hosting management platform that builds and deploys verifiable secure enclaves using the AWS Nitro System, based on EnclaveOS.

Verifiable Enclaves

An enclave is verifiable when you can independently confirm that the code running inside it matches the source code you expect. This is achieved through:

  1. Reproducible builds — Reproducible builds force software to be bit-for-bit identical when built from the same source code, and eliminate certain categories of supply chain attacks. It allows for integrity verification, without which software is opaque and difficult to verify.
  2. Cryptographic attestation — The enclave hardware generates a signed attestation document containing measurements (PCR hashes) of the running code.
  3. Independent verification — You can compare your locally-built measurements against the attestation from a running enclave to prove they match.

Getting Started

Prerequisites

  • Docker with containerd enabled
  • GNU Make
  • x86_64 based system (Mac support coming soon)

1. Bootstrap AWS infrastructure

Follow the bootstrapping guide to create the required AWS infrastructure (S3 buckets, IAM user, DynamoDB table).

2. Run the platform

Set up .env file using the credentials from bootstrapping:

cp env.example .env
# Edit .env with your AWS credentials and bucket names from bootstrapping

Install the CLI:

Option A: Install script

curl -fsSL https://codeberg.org/caution/cli/raw/branch/main/install.sh | sh

Option B: Build from source

git clone https://codeberg.org/caution/cli
cd cli
make build
make install

Start the platform services:

make up

3. Deploy an app

  1. Register using Passkey (via terminal or web browser):

    caution register

  2. Add an SSH key (can be done in browser as well):

    caution ssh-keys add --title <name_of_key> --key <pub_key_string>

  3. Initialize a project within a Dockerized repo:

    caution init

    You may need to adjust the Procfile.

    The hello-world-enclave repo is a good test app to deploy.

  4. Build and deploy:

    git push caution main

4. Verify a deployed app

You can verify an enclave's attestation in two ways:

Option A: Reproduce and verify (recommended)

Fetches the attestation from the endpoint, rebuilds the enclave locally, and verifies the PCR hashes match. The attestation endpoint is available at https://<app-url>/attestation.

caution verify --attestation-url <attestation-url>

Option B: Verify against known PCR hashes

PCRs (Platform Configuration Registers) are cryptographic measurements of the enclave's code and configuration. If you already have the expected PCR hashes, you can verify against a file:

# Create a file with expected PCR hashes
cat pcrs.txt
PCR0: 3c07ec536432532f86b8c735b740f0d67a8b115e4a5e20cc8ecbb4e6a8335fe016bf42693b18e8560e299636afa8dc84
PCR1: 3c07ec536432532f86b8c735b740f0d67a8b115e4a5e20cc8ecbb4e6a8335fe016bf42693b18e8560e299636afa8dc84
PCR2: 21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a

caution verify --pcrs pcrs.txt

Reference

Limitations

  • AWS Nitro Enclaves only
  • Requires x86_64 architecture for enclave builds
  • Docker BuildKit required for reproducible builds
  • Attestation verification requires network access to the enclave endpoint

Coming soon

  • Other TEE platforms (TDX, SEV)
  • Other major cloud platforms and baremetal
  • Alternate OCI runtime support (Podman)

License

Dual-licensed under AGPL-3.0 and a commercial license. See LICENSE for details. Contact info@caution.co to obtain a commercial license.