hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动

更新: 421 个文件 - 2026-03-17 18:30:02

浏览代码
这个提交包含在:
hao
2026-03-17 18:30:02 -07:00
父节点 29c3faaa28
当前提交 a3edc88834
修改 421 个文件,包含 12474 行新增5845 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件

62
08-threat-intel/repro-profiles/system-family/gitea-authz-bypass.yaml 普通文件
查看文件

@@ -0,0 +1,62 @@
profile_id: gitea-authz-bypass
system_id: gitea
match_rules:
keywords:
- authorization bypass
- access control
vuln_family: authz-bypass
provisioning_mode: real
verification_mode: real
artifact_mode: local-fixture
artifact_source:
strategy: local-minimal-fixture
runner_id: gitea.authz-bypass
fixture_path: /Users/x/websafe/00-environments/templates/fixtures/gitea/authz-bypass
required_services:
- app
seed_actions:
- kind: note
message: Seed low-privilege and admin boundary fixture state.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Runner verifies guest-to-admin bypass only inside fixture route.
browser_assertions:
required: false
success_criteria:
- Controlled guest request reaches the protected admin route inside the fixture.
success_assertions:
- name: baseline-ok
type: baseline-ok
- name: runner-success
type: runner-success
services:
app:
image: python:3.12-alpine
working_dir: /workspace
command:
- python
- /workspace/00-environments/templates/fixtures/shared/python_fixture.py
environment:
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/authz-bypass/scenario.json
PORT: "3000"
ports:
- 18103:3000
volumes:
- /Users/x/websafe:/workspace:ro
healthcheck:
test:
- CMD-SHELL
- wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
interval: 2s
timeout: 2s
retries: 20
baseline_urls:
- http://127.0.0.1:18103/
ready_timeout_seconds: 45
cleanup_policy: destroy
destructive_risk: low
allowed_target_types:
- lab-local

64
08-threat-intel/repro-profiles/system-family/gitea-file-upload.yaml 普通文件
查看文件

@@ -0,0 +1,64 @@
profile_id: gitea-file-upload
system_id: gitea
match_rules:
keywords:
- file upload
- attachment
vuln_family: file-upload
provisioning_mode: real
verification_mode: real
artifact_mode: local-fixture
artifact_source:
strategy: local-minimal-fixture
runner_id: gitea.file-upload
fixture_path: /Users/x/websafe/00-environments/templates/fixtures/gitea/file-upload
required_services:
- app
seed_actions:
- kind: note
message: Seed empty attachment list for upload proof.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Runner uploads inert text marker only.
browser_assertions:
required: true
success_criteria:
- Inert upload marker is accepted and listed on the proof page.
success_assertions:
- name: baseline-ok
type: baseline-ok
- name: runner-success
type: runner-success
- name: browser-present
type: browser-present
services:
app:
image: python:3.12-alpine
working_dir: /workspace
command:
- python
- /workspace/00-environments/templates/fixtures/shared/python_fixture.py
environment:
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/file-upload/scenario.json
PORT: "3000"
ports:
- 18104:3000
volumes:
- /Users/x/websafe:/workspace:ro
healthcheck:
test:
- CMD-SHELL
- wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
interval: 2s
timeout: 2s
retries: 20
baseline_urls:
- http://127.0.0.1:18104/
ready_timeout_seconds: 45
cleanup_policy: destroy
destructive_risk: low
allowed_target_types:
- lab-local

64
08-threat-intel/repro-profiles/system-family/gitea-proxy-boundary.yaml 普通文件
查看文件

@@ -0,0 +1,64 @@
profile_id: gitea-proxy-boundary
system_id: gitea
match_rules:
keywords:
- proxy
- header trust
vuln_family: proxy-boundary
provisioning_mode: real
verification_mode: real
artifact_mode: local-fixture
artifact_source:
strategy: local-minimal-fixture
runner_id: gitea.proxy-boundary
fixture_path: /Users/x/websafe/00-environments/templates/fixtures/gitea/proxy-boundary
required_services:
- app
seed_actions:
- kind: note
message: Seed forwarded-header boundary fixture with clean state.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Runner performs local forwarded-header trust proof only inside the fixture.
browser_assertions:
required: true
success_criteria:
- Local fixture proves trusted proxy headers cross the admin boundary.
success_assertions:
- name: baseline-ok
type: baseline-ok
- name: runner-success
type: runner-success
- name: browser-present
type: browser-present
services:
app:
image: python:3.12-alpine
working_dir: /workspace
command:
- python
- /workspace/00-environments/templates/fixtures/shared/python_fixture.py
environment:
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/proxy-boundary/scenario.json
PORT: "3000"
ports:
- 18101:3000
volumes:
- /Users/x/websafe:/workspace:ro
healthcheck:
test:
- CMD-SHELL
- wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
interval: 2s
timeout: 2s
retries: 20
baseline_urls:
- http://127.0.0.1:18101/
ready_timeout_seconds: 45
cleanup_policy: destroy
destructive_risk: low
allowed_target_types:
- lab-local

62
08-threat-intel/repro-profiles/system-family/gitea-ssrf.yaml 普通文件
查看文件

@@ -0,0 +1,62 @@
profile_id: gitea-ssrf
system_id: gitea
match_rules:
keywords:
- ssrf
- request forgery
vuln_family: ssrf
provisioning_mode: real
verification_mode: real
artifact_mode: local-fixture
artifact_source:
strategy: local-minimal-fixture
runner_id: gitea.ssrf
fixture_path: /Users/x/websafe/00-environments/templates/fixtures/gitea/ssrf
required_services:
- app
seed_actions:
- kind: note
message: Seed local sink counters only.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Runner triggers callback strictly to local sink endpoint.
browser_assertions:
required: false
success_criteria:
- Server-side callback reaches the local sink and is recorded in proof output.
success_assertions:
- name: baseline-ok
type: baseline-ok
- name: runner-success
type: runner-success
services:
app:
image: python:3.12-alpine
working_dir: /workspace
command:
- python
- /workspace/00-environments/templates/fixtures/shared/python_fixture.py
environment:
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/ssrf/scenario.json
PORT: "3000"
ports:
- 18105:3000
volumes:
- /Users/x/websafe:/workspace:ro
healthcheck:
test:
- CMD-SHELL
- wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
interval: 2s
timeout: 2s
retries: 20
baseline_urls:
- http://127.0.0.1:18105/
ready_timeout_seconds: 45
cleanup_policy: destroy
destructive_risk: low
allowed_target_types:
- lab-local

64
08-threat-intel/repro-profiles/system-family/gitea-xss.yaml 普通文件
查看文件

@@ -0,0 +1,64 @@
profile_id: gitea-xss
system_id: gitea
match_rules:
keywords:
- xss
- scripting
vuln_family: xss
provisioning_mode: real
verification_mode: real
artifact_mode: local-fixture
artifact_source:
strategy: local-minimal-fixture
runner_id: gitea.xss
fixture_path: /Users/x/websafe/00-environments/templates/fixtures/gitea/xss
required_services:
- app
seed_actions:
- kind: note
message: Seed stored content page before browser proof capture.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Runner stores inert script payload and captures proof page.
browser_assertions:
required: true
success_criteria:
- Browser proof page renders the stored XSS marker after the controlled payload.
success_assertions:
- name: baseline-ok
type: baseline-ok
- name: runner-success
type: runner-success
- name: browser-present
type: browser-present
services:
app:
image: python:3.12-alpine
working_dir: /workspace
command:
- python
- /workspace/00-environments/templates/fixtures/shared/python_fixture.py
environment:
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/gitea/xss/scenario.json
PORT: "3000"
ports:
- 18102:3000
volumes:
- /Users/x/websafe:/workspace:ro
healthcheck:
test:
- CMD-SHELL
- wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
interval: 2s
timeout: 2s
retries: 20
baseline_urls:
- http://127.0.0.1:18102/
ready_timeout_seconds: 45
cleanup_policy: destroy
destructive_risk: low
allowed_target_types:
- lab-local

62
08-threat-intel/repro-profiles/system-family/nextjs-authz-bypass.yaml 普通文件
查看文件

@@ -0,0 +1,62 @@
profile_id: nextjs-authz-bypass
system_id: nextjs
match_rules:
keywords:
- authorization bypass
- access control
vuln_family: authz-bypass
provisioning_mode: real
verification_mode: real
artifact_mode: local-fixture
artifact_source:
strategy: local-minimal-fixture
runner_id: nextjs.authz-bypass
fixture_path: /Users/x/websafe/00-environments/templates/fixtures/nextjs/authz-bypass
required_services:
- app
seed_actions:
- kind: note
message: Seed guest/admin route fixture for server-side recheck.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Runner performs local authz bypass proof only.
browser_assertions:
required: false
success_criteria:
- Protected route is reachable only after the controlled bypass proof step.
success_assertions:
- name: baseline-ok
type: baseline-ok
- name: runner-success
type: runner-success
services:
app:
image: node:22-alpine
working_dir: /workspace
command:
- node
- /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
environment:
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/nextjs/authz-bypass/scenario.json
PORT: "3000"
ports:
- 18202:3000
volumes:
- /Users/x/websafe:/workspace:ro
healthcheck:
test:
- CMD-SHELL
- wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
interval: 2s
timeout: 2s
retries: 20
baseline_urls:
- http://127.0.0.1:18202/
ready_timeout_seconds: 45
cleanup_policy: destroy
destructive_risk: low
allowed_target_types:
- lab-local

62
08-threat-intel/repro-profiles/system-family/nextjs-deserialization.yaml 普通文件
查看文件

@@ -0,0 +1,62 @@
profile_id: nextjs-deserialization
system_id: nextjs
match_rules:
keywords:
- deserialization
- serialization
vuln_family: deserialization
provisioning_mode: real
verification_mode: real
artifact_mode: local-fixture
artifact_source:
strategy: local-minimal-fixture
runner_id: nextjs.deserialization
fixture_path: /Users/x/websafe/00-environments/templates/fixtures/nextjs/deserialization
required_services:
- app
seed_actions:
- kind: note
message: Seed inert decode path before proof request.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Runner demonstrates unsafe decode path without gadget execution.
browser_assertions:
required: false
success_criteria:
- Inert decoded object marker is present without executing a gadget chain.
success_assertions:
- name: baseline-ok
type: baseline-ok
- name: runner-success
type: runner-success
services:
app:
image: node:22-alpine
working_dir: /workspace
command:
- node
- /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
environment:
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/nextjs/deserialization/scenario.json
PORT: "3000"
ports:
- 18205:3000
volumes:
- /Users/x/websafe:/workspace:ro
healthcheck:
test:
- CMD-SHELL
- wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
interval: 2s
timeout: 2s
retries: 20
baseline_urls:
- http://127.0.0.1:18205/
ready_timeout_seconds: 45
cleanup_policy: destroy
destructive_risk: low
allowed_target_types:
- lab-local

64
08-threat-intel/repro-profiles/system-family/nextjs-proxy-boundary.yaml 普通文件
查看文件

@@ -0,0 +1,64 @@
profile_id: nextjs-proxy-boundary
system_id: nextjs
match_rules:
keywords:
- proxy
- middleware
vuln_family: proxy-boundary
provisioning_mode: real
verification_mode: real
artifact_mode: local-fixture
artifact_source:
strategy: local-minimal-fixture
runner_id: nextjs.proxy-boundary
fixture_path: /Users/x/websafe/00-environments/templates/fixtures/nextjs/proxy-boundary
required_services:
- app
seed_actions:
- kind: note
message: Seed middleware boundary fixture with clean proxy state.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Runner performs forwarded-header proof against local fixture only.
browser_assertions:
required: true
success_criteria:
- Middleware trust-boundary proof is visible on the browser proof page.
success_assertions:
- name: baseline-ok
type: baseline-ok
- name: runner-success
type: runner-success
- name: browser-present
type: browser-present
services:
app:
image: node:22-alpine
working_dir: /workspace
command:
- node
- /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
environment:
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/nextjs/proxy-boundary/scenario.json
PORT: "3000"
ports:
- 18201:3000
volumes:
- /Users/x/websafe:/workspace:ro
healthcheck:
test:
- CMD-SHELL
- wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
interval: 2s
timeout: 2s
retries: 20
baseline_urls:
- http://127.0.0.1:18201/
ready_timeout_seconds: 45
cleanup_policy: destroy
destructive_risk: low
allowed_target_types:
- lab-local

62
08-threat-intel/repro-profiles/system-family/nextjs-ssrf.yaml 普通文件
查看文件

@@ -0,0 +1,62 @@
profile_id: nextjs-ssrf
system_id: nextjs
match_rules:
keywords:
- ssrf
- request forgery
vuln_family: ssrf
provisioning_mode: real
verification_mode: real
artifact_mode: local-fixture
artifact_source:
strategy: local-minimal-fixture
runner_id: nextjs.ssrf
fixture_path: /Users/x/websafe/00-environments/templates/fixtures/nextjs/ssrf
required_services:
- app
seed_actions:
- kind: note
message: Seed local callback fixture state.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Runner validates sink callback without leaving local network.
browser_assertions:
required: false
success_criteria:
- Local sink callback is observed from the server-side fetch path.
success_assertions:
- name: baseline-ok
type: baseline-ok
- name: runner-success
type: runner-success
services:
app:
image: node:22-alpine
working_dir: /workspace
command:
- node
- /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
environment:
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/nextjs/ssrf/scenario.json
PORT: "3000"
ports:
- 18203:3000
volumes:
- /Users/x/websafe:/workspace:ro
healthcheck:
test:
- CMD-SHELL
- wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
interval: 2s
timeout: 2s
retries: 20
baseline_urls:
- http://127.0.0.1:18203/
ready_timeout_seconds: 45
cleanup_policy: destroy
destructive_risk: low
allowed_target_types:
- lab-local

64
08-threat-intel/repro-profiles/system-family/nextjs-xss.yaml 普通文件
查看文件

@@ -0,0 +1,64 @@
profile_id: nextjs-xss
system_id: nextjs
match_rules:
keywords:
- xss
- scripting
vuln_family: xss
provisioning_mode: real
verification_mode: real
artifact_mode: local-fixture
artifact_source:
strategy: local-minimal-fixture
runner_id: nextjs.xss
fixture_path: /Users/x/websafe/00-environments/templates/fixtures/nextjs/xss
required_services:
- app
seed_actions:
- kind: note
message: Seed client-rendering page for XSS proof capture.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Runner injects inert payload and captures browser proof.
browser_assertions:
required: true
success_criteria:
- Browser proof page shows the XSS execution marker after the controlled payload.
success_assertions:
- name: baseline-ok
type: baseline-ok
- name: runner-success
type: runner-success
- name: browser-present
type: browser-present
services:
app:
image: node:22-alpine
working_dir: /workspace
command:
- node
- /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
environment:
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/nextjs/xss/scenario.json
PORT: "3000"
ports:
- 18204:3000
volumes:
- /Users/x/websafe:/workspace:ro
healthcheck:
test:
- CMD-SHELL
- wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
interval: 2s
timeout: 2s
retries: 20
baseline_urls:
- http://127.0.0.1:18204/
ready_timeout_seconds: 45
cleanup_policy: destroy
destructive_risk: low
allowed_target_types:
- lab-local

62
08-threat-intel/repro-profiles/system-family/undici-ssrf.yaml 普通文件
查看文件

@@ -0,0 +1,62 @@
profile_id: undici-ssrf
system_id: undici
match_rules:
keywords:
- ssrf
- request forgery
vuln_family: ssrf
provisioning_mode: real
verification_mode: real
artifact_mode: local-fixture
artifact_source:
strategy: local-minimal-fixture
runner_id: undici.ssrf
fixture_path: /Users/x/websafe/00-environments/templates/fixtures/undici/ssrf
required_services:
- app
seed_actions:
- kind: note
message: Seed local sink-only request path.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Runner validates local callback using undici-style request fixture.
browser_assertions:
required: false
success_criteria:
- SSRF proof endpoint confirms only local sink callbacks were performed.
success_assertions:
- name: baseline-ok
type: baseline-ok
- name: runner-success
type: runner-success
services:
app:
image: node:22-alpine
working_dir: /workspace
command:
- node
- /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
environment:
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/undici/ssrf/scenario.json
PORT: "3000"
ports:
- 18301:3000
volumes:
- /Users/x/websafe:/workspace:ro
healthcheck:
test:
- CMD-SHELL
- wget -q -O - http://127.0.0.1:3000/healthz >/dev/null 2>&1 || exit 1
interval: 2s
timeout: 2s
retries: 20
baseline_urls:
- http://127.0.0.1:18301/
ready_timeout_seconds: 45
cleanup_policy: destroy
destructive_risk: low
allowed_target_types:
- lab-local

64
08-threat-intel/repro-profiles/system-family/vite-file-upload.yaml 普通文件
查看文件

@@ -0,0 +1,64 @@
profile_id: vite-file-upload
system_id: vite
match_rules:
keywords:
- file upload
- upload
vuln_family: file-upload
provisioning_mode: real
verification_mode: real
artifact_mode: local-fixture
artifact_source:
strategy: local-minimal-fixture
runner_id: vite.file-upload
fixture_path: /Users/x/websafe/00-environments/templates/fixtures/vite/file-upload
required_services:
- app
seed_actions:
- kind: note
message: Seed empty upload list for dev-server proof page.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Runner uploads inert text marker only.
browser_assertions:
required: true
success_criteria:
- Uploaded inert marker is shown on the browser proof page.
success_assertions:
- name: baseline-ok
type: baseline-ok
- name: runner-success
type: runner-success
- name: browser-present
type: browser-present
services:
app:
image: node:22-alpine
working_dir: /workspace
command:
- node
- /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
environment:
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/vite/file-upload/scenario.json
PORT: "5173"
ports:
- 18402:5173
volumes:
- /Users/x/websafe:/workspace:ro
healthcheck:
test:
- CMD-SHELL
- wget -q -O - http://127.0.0.1:5173/healthz >/dev/null 2>&1 || exit 1
interval: 2s
timeout: 2s
retries: 20
baseline_urls:
- http://127.0.0.1:18402/
ready_timeout_seconds: 45
cleanup_policy: destroy
destructive_risk: low
allowed_target_types:
- lab-local

64
08-threat-intel/repro-profiles/system-family/vite-proxy-boundary.yaml 普通文件
查看文件

@@ -0,0 +1,64 @@
profile_id: vite-proxy-boundary
system_id: vite
match_rules:
keywords:
- proxy
- middleware
vuln_family: proxy-boundary
provisioning_mode: real
verification_mode: real
artifact_mode: local-fixture
artifact_source:
strategy: local-minimal-fixture
runner_id: vite.proxy-boundary
fixture_path: /Users/x/websafe/00-environments/templates/fixtures/vite/proxy-boundary
required_services:
- app
seed_actions:
- kind: note
message: Seed proxy boundary fixture with baseline banner.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Runner proves forwarded proxy boundary state change locally.
browser_assertions:
required: true
success_criteria:
- Proxy boundary proof banner is visible in the captured browser evidence.
success_assertions:
- name: baseline-ok
type: baseline-ok
- name: runner-success
type: runner-success
- name: browser-present
type: browser-present
services:
app:
image: node:22-alpine
working_dir: /workspace
command:
- node
- /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
environment:
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/vite/proxy-boundary/scenario.json
PORT: "5173"
ports:
- 18401:5173
volumes:
- /Users/x/websafe:/workspace:ro
healthcheck:
test:
- CMD-SHELL
- wget -q -O - http://127.0.0.1:5173/healthz >/dev/null 2>&1 || exit 1
interval: 2s
timeout: 2s
retries: 20
baseline_urls:
- http://127.0.0.1:18401/
ready_timeout_seconds: 45
cleanup_policy: destroy
destructive_risk: low
allowed_target_types:
- lab-local

64
08-threat-intel/repro-profiles/system-family/vite-xss.yaml 普通文件
查看文件

@@ -0,0 +1,64 @@
profile_id: vite-xss
system_id: vite
match_rules:
keywords:
- xss
- scripting
vuln_family: xss
provisioning_mode: real
verification_mode: real
artifact_mode: local-fixture
artifact_source:
strategy: local-minimal-fixture
runner_id: vite.xss
fixture_path: /Users/x/websafe/00-environments/templates/fixtures/vite/xss
required_services:
- app
seed_actions:
- kind: note
message: Seed client render page before XSS proof capture.
baseline_actions:
- kind: http-get
path: /
attack_actions:
- kind: note
message: Runner stores inert payload and validates browser proof only locally.
browser_assertions:
required: true
success_criteria:
- Browser proof page shows the controlled XSS marker after attack.
success_assertions:
- name: baseline-ok
type: baseline-ok
- name: runner-success
type: runner-success
- name: browser-present
type: browser-present
services:
app:
image: node:22-alpine
working_dir: /workspace
command:
- node
- /workspace/00-environments/templates/fixtures/shared/node_fixture.mjs
environment:
LAB_FIXTURE_SCENARIO: /workspace/00-environments/templates/fixtures/vite/xss/scenario.json
PORT: "5173"
ports:
- 18403:5173
volumes:
- /Users/x/websafe:/workspace:ro
healthcheck:
test:
- CMD-SHELL
- wget -q -O - http://127.0.0.1:5173/healthz >/dev/null 2>&1 || exit 1
interval: 2s
timeout: 2s
retries: 20
baseline_urls:
- http://127.0.0.1:18403/
ready_timeout_seconds: 45
cleanup_policy: destroy
destructive_risk: low
allowed_target_types:
- lab-local