Demo Hardening Checklist
FleetForge’s hosted demo and just demo workflow trade strict security controls
for quick evaluation. Use this checklist to harden the environment before moving
demo flows into production.
Authentication & Authorization
| Mode | How it works | Intended for |
|---|---|---|
| Static demo tokens | FLEETFORGE_API_TOKENS lists writer/reader credentials that the runtime validates in-process. The UI surfaces these values so reviewers can replay runs from curl/CLI. | Local evaluation, public demos scoped to disposable sandboxes. |
| OIDC (production) | Configure FLEETFORGE_OIDC_ISSUER, client IDs, and role claims so the runtime verifies bearer tokens issued by your identity provider. Use RBAC policies to map roles to read/write operations. | Production clusters or any environment needing revocable, audited access. |
Recommendation: keep static tokens only for air-gapped demos. Switch to OIDC for anything persistent and rotate secrets via your secret manager.
Tool & Runtime Isolation
FleetForge supports multiple execution sandboxes with policy packs that restrict run behaviour.
| Policy pack | What it does | Typical use |
|---|---|---|
allow_all | Enables the Docker toolbox image (echo, python, jq) with permissive network/tool access. | Hosted demos, lightweight evaluation. |
hipaa, gdpr | Enforces regulated guardrails: restricts executor images, outbound networks, and tool invocations to allowlists. | Production workloads with regulated data. |
Recommendation: choose the tightest pack that fits your data requirements.
Extend allowlists via FLEETFORGE_ALLOWED_TOOLS, FLEETFORGE_ALLOWED_IMAGES,
and FLEETFORGE_ALLOWED_NETWORKS only after approval. See
Guardrail reference for details.
Hardening Checklist
- Secrets: keep demo tokens scoped to non-sensitive sandboxes. Never reuse production tokens. Rotate or revoke writer tokens after each public session.
- Network access: if you expose the demo publicly, run it behind a WAF/CDN and restrict runtime egress to approved APIs.
- Telemetry: isolate demo telemetry (ClickHouse, OTEL exporters) from production data.
- Upgrade path: when promoting a demo to production, enable OIDC, enforce a regulated policy pack, audit tool usage/budgets, and document the change in your ChangeOps process.
For the coordinated disclosure process, see SECURITY.md.