# Security and Access

## Secrets Handling (Redacted)
- Secrets are loaded from `.env`, `.env.local`, service `.env`, and compose environment blocks.
- Sensitive values were detected in tracked files; this inventory redacts all such values as `<REDACTED>`.
- Example secret-bearing keys (redacted): `*_TOKEN`, `*_API_KEY`, `POSTGRES_PASSWORD`, `JWT_SECRET`, `MINIO_*`, `NATS_URL` credentials.

## AuthN/AuthZ
- Internal service auth patterns exist (`service_auth.py` modules, JWT-related env in staging).
- Tool-level authorization is per-agent allowlist in `services/router/agent_tools_config.py`.
- Policy/control-plane endpoints are defined in `services/control-plane/main.py` (`/policy`, `/quotas`, `/config`) but service deployment is environment-dependent.

## NATS Access Controls
- `nats/nats.conf` defines accounts and publish/subscribe permissions (`router`, `worker`, `gateway`, `memory`, `system`).
- Security hardening doc flags pending actions (e.g., rotate defaults, enforce config at runtime).

## Network/Firewall Hardening
- Firewall script exists: `ops/hardening/apply-node1-firewall.sh`.
- Fail2ban nginx jails exist: `ops/hardening/fail2ban-nginx.conf`.
- Nginx edge config includes rate limiting and connection limiting.

## Privacy / Data Governance
- Privacy and retention docs present: `docs/PRIVACY_GATE.md`, `docs/DATA_RETENTION_POLICY.md`, `docs/MEMORY_API_POLICY.md`.
- Memory schema includes PII/consent/account-linking structures (`migrations/046`, `049`, `052`).
- KYC schema stores attestation status and explicitly avoids raw PII fields.

## E2EE / Threat Model References
- Security architecture references are present in docs and consolidated runtime snapshots; no complete formal threat model file was found in active root docs with that exact title.

## Redaction Register (locations)
- `.env`
- `.env.example`
- `.env.local`
- `docker-compose.node1.yml`
- `docker-compose.staging.yml`
- `docker-compose.staging.override.yml`
- `docker-compose.backups.yml`
- `services/memory-service/.env`
- `services/market-data-service/.env`
- `services/ai-security-agent/.env.example`

## Source pointers
- `nats/nats.conf`
- `services/router/agent_tools_config.py`
- `services/control-plane/main.py`
- `ops/nginx/node1-api.conf`
- `ops/hardening/apply-node1-firewall.sh`
- `ops/hardening/fail2ban-nginx.conf`
- `docs/SECURITY_HARDENING_SUMMARY.md`
- `docs/PRIVACY_GATE.md`
- `docs/DATA_RETENTION_POLICY.md`
- `migrations/046_memory_service_full_schema.sql`
- `migrations/049_memory_v3_human_memory_model.sql`
- `migrations/052_account_linking_schema.sql`