Image with umbrella captured by Sami Anas.
Last Updated: Febuary 21st, 2026
Umbrella Policy serves as the definitive operational framework for SudoVanilla. It ensures that every service, piece of code, and digital asset remains under internal control, adhering to strict open-source and self-hosted standards.
SudoVanilla Operational Standards
1. On-Premises & Local Mandate
All SudoVanilla operations must be powered by local, on-premises hardware.
- Physical Control: Services must reside on hardware owned by SudoVanilla.
- Zero Cloud Reliance: The use of external cloud providers, VPS, or third-party data centers is strictly prohibited to maintain total data sovereignty.
2. Access & Domain Routing
The sudovanilla.org domain is the sole authorized gateway for all organizational services.
- Unified Entry: Every service must be sub-domained under
sudovanilla.org. - Security Enforcement: Direct IP access is disabled; all traffic must flow through the domain.
3. Authentication & SSO Compliance
Security is anchored by the SudoVanilla Wormhole.
- OAuth Requirement: Every hosted service must support an OAuth option for integration with the SudoVanilla Wormhole.
- Mandatory Removal: Any software or service that cannot or will not support SudoVanilla Wormhole via OAuth will be decommissioned and removed from the infrastructure.
- No Local Accounts: Manual account creation within individual applications is strictly forbidden.
4. Software & Distribution
SudoVanilla maintains a closed-loop distribution system for all software that are built.
- SudoVanilla Registry: All OCI (container) images and JS packages must be distributed exclusively via the SudoVanilla Registry.
- Source Code Hosting: Original source code and external project mirrors must only be hosted on:
- SudoVanilla Ark (Internal)
- Codeberg
- git.pub.solar
- Open Source Only: All software must remain open source to allow for full transparency and auditability.
5. Social Media & The Fediverse
SudoVanilla does not participate in proprietary, centralized social media.
- Self-Hosted Socials: All official accounts must be self-hosted.
- Protocol Standards: Presence is limited to the Fediverse via ActivityPub or compatible decentralized protocols.
6. Asset Management
To ensure brand consistency and link longevity, all digital assets are centralized.
- SudoVanilla Via: Every image, video, audio file, software update, and branding asset must be hosted on and served through SudoVanilla Via.
- No External Hotlinking: Linking to assets hosted on external CDNs or third-party sites is prohibited.
SudoVanilla Compliance Audit Checklist
1. Infrastructure & Hosting
- On-Premises Verification: Is the service running on physical hardware located in on-premise?
- No Cloud/VPS: Confirm there are no dependencies on AWS, GCP, Azure, or third-party VPS providers.
- Domain Access: Is the service reachable only via a
*.sudovanilla.orgsubdomain? - IP Lockdown: Verify that direct access via public IP address is disabled at the gateway level.
2. Identity & Authentication
- SSO Integration: Does the service have a functional OAuth 2.0 configuration pointing to SudoVanilla Wormhole SSO?
- Local Account Audit: Have all local application-level databases for user credentials been disabled or purged?
- Decommissioning Trigger: If OAuth support is missing and cannot be implemented via plugin or patch, have the software marked for immediate removal.
3. Software & Licensing
- Open Source Check: Is the software’s source code available under an FSF-approved license?
- No Proprietary Blobs: Ensure no closed-source “Enterprise” editions or proprietary binaries are in use.
4. Distribution & Version Control
- OCI/JS Registry: Are all container images and JavaScript packages pulled exclusively from the SudoVanilla Registry?
- Source Code Location: Is the primary or mirror repository hosted on SudoVanilla Ark, Codeberg, or git.pub.solar?
- External Git Ban: Confirm no official SudoVanilla code is hosted on GitHub, GitLab.com, Bitbucket, or other git sources.
5. Asset & Media Integrity
- Media Hosting: Are all images, videos, and audio files served through SudoVanilla Via and/or the
sudovanilla.orgdomain? - Branding Assets: Verify that all official logos and brand assets are retrieved from SudoVanilla Via.
- No Hotlinking: Audit pages for external links to third-party CDNs or asset hosts.
6. Social & Federation
- Self-Hosted Presence: Is the social account hosted on a controlled instance?
- Protocol Compliance: Does the service utilize ActivityPub or similar Fediverse protocols for external interaction?
