docs: add node1 runbooks, consolidation artifacts, and maintenance scripts
This commit is contained in:
Apple
54
docs/architecture_inventory/05_SECURITY_AND_ACCESS.md
Normal file
54
docs/architecture_inventory/05_SECURITY_AND_ACCESS.md
Normal file
@@ -0,0 +1,54 @@
|
||||
# Security and Access
|
||||
|
||||
## Secrets Handling (Redacted)
|
||||
- Secrets are loaded from `.env`, `.env.local`, service `.env`, and compose environment blocks.
|
||||
- Sensitive values were detected in tracked files; this inventory redacts all such values as `<REDACTED>`.
|
||||
- Example secret-bearing keys (redacted): `*_TOKEN`, `*_API_KEY`, `POSTGRES_PASSWORD`, `JWT_SECRET`, `MINIO_*`, `NATS_URL` credentials.
|
||||
|
||||
## AuthN/AuthZ
|
||||
- Internal service auth patterns exist (`service_auth.py` modules, JWT-related env in staging).
|
||||
- Tool-level authorization is per-agent allowlist in `services/router/agent_tools_config.py`.
|
||||
- Policy/control-plane endpoints are defined in `services/control-plane/main.py` (`/policy`, `/quotas`, `/config`) but service deployment is environment-dependent.
|
||||
|
||||
## NATS Access Controls
|
||||
- `nats/nats.conf` defines accounts and publish/subscribe permissions (`router`, `worker`, `gateway`, `memory`, `system`).
|
||||
- Security hardening doc flags pending actions (e.g., rotate defaults, enforce config at runtime).
|
||||
|
||||
## Network/Firewall Hardening
|
||||
- Firewall script exists: `ops/hardening/apply-node1-firewall.sh`.
|
||||
- Fail2ban nginx jails exist: `ops/hardening/fail2ban-nginx.conf`.
|
||||
- Nginx edge config includes rate limiting and connection limiting.
|
||||
|
||||
## Privacy / Data Governance
|
||||
- Privacy and retention docs present: `docs/PRIVACY_GATE.md`, `docs/DATA_RETENTION_POLICY.md`, `docs/MEMORY_API_POLICY.md`.
|
||||
- Memory schema includes PII/consent/account-linking structures (`migrations/046`, `049`, `052`).
|
||||
- KYC schema stores attestation status and explicitly avoids raw PII fields.
|
||||
|
||||
## E2EE / Threat Model References
|
||||
- Security architecture references are present in docs and consolidated runtime snapshots; no complete formal threat model file was found in active root docs with that exact title.
|
||||
|
||||
## Redaction Register (locations)
|
||||
- `.env`
|
||||
- `.env.example`
|
||||
- `.env.local`
|
||||
- `docker-compose.node1.yml`
|
||||
- `docker-compose.staging.yml`
|
||||
- `docker-compose.staging.override.yml`
|
||||
- `docker-compose.backups.yml`
|
||||
- `services/memory-service/.env`
|
||||
- `services/market-data-service/.env`
|
||||
- `services/ai-security-agent/.env.example`
|
||||
|
||||
## Source pointers
|
||||
- `nats/nats.conf`
|
||||
- `services/router/agent_tools_config.py`
|
||||
- `services/control-plane/main.py`
|
||||
- `ops/nginx/node1-api.conf`
|
||||
- `ops/hardening/apply-node1-firewall.sh`
|
||||
- `ops/hardening/fail2ban-nginx.conf`
|
||||
- `docs/SECURITY_HARDENING_SUMMARY.md`
|
||||
- `docs/PRIVACY_GATE.md`
|
||||
- `docs/DATA_RETENTION_POLICY.md`
|
||||
- `migrations/046_memory_service_full_schema.sql`
|
||||
- `migrations/049_memory_v3_human_memory_model.sql`
|
||||
- `migrations/052_account_linking_schema.sql`
|
||||
Reference in New Issue
Block a user