# Security Hardening - Implementation Summary **Date:** 2026-01-19 **Status:** Completed (Phase 1) --- ## ✅ Completed ### 1. Service-to-Service JWT Auth - ✅ JWT auth module: `/opt/microdao-daarion/shared/service_auth.py` - ✅ Memory API: JWT protection added to `/retrieve` and `/store` - ✅ Control Plane: JWT protection added to `/prompts`, `/policy`, `/config`, `/quotas` - ⏳ Router: JWT helper function added (needs integration in HTTP calls) - ⏳ Gateway: JWT integration pending ### 2. Network Isolation - ✅ Postgres: Public ports removed (internal only) - ✅ Qdrant: Public ports removed (internal only) - ✅ Neo4j: Public ports removed (internal only) - ✅ Redis: Public ports removed (internal only) - ✅ NATS: Public ports removed (monitoring port 8222 may remain) ### 3. NATS Security Configuration - ✅ NATS accounts config: `/opt/microdao-daarion/nats/nats.conf` - ⏳ NATS config needs to be applied to server - ⏳ Service credentials need to be configured --- ## ⏳ Pending ### 4. Secrets Hardening - [ ] JWT_SECRET set in all services (not default) - [ ] NATS passwords changed from defaults - [ ] API keys validated on startup ### 5. HTTP Hardening - [ ] Rate limiting enforced - [ ] Request size limits - [ ] Security headers ### 6. Audit Integrity - [ ] Audit stream append-only verified - [ ] Audit access restricted --- ## Next Steps 1. **Apply NATS config:** ```bash # Mount NATS config and restart docker-compose restart nats ``` 2. **Configure JWT_SECRET:** ```bash # Add to all service .env files JWT_SECRET= SERVICE_ID= SERVICE_ROLE= ``` 3. **Update Router/Gateway HTTP calls:** - Add JWT headers to Memory API calls - Add JWT headers to Control Plane calls 4. **Verification:** - Test DB isolation (ports not accessible) - Test JWT auth (401 without token) - Test NATS permissions --- ## Files Created - `/opt/microdao-daarion/shared/service_auth.py` - JWT auth module - `/opt/microdao-daarion/nats/nats.conf` - NATS accounts/permissions - `/opt/microdao-daarion/docs/SECURITY_HARDENING_CHECKLIST.md` - Checklist - `/opt/microdao-daarion/docker-compose.node1.yml` - Network isolation applied --- ## Acceptance Criteria - [ ] DB ports not accessible from host - [ ] Memory API requires JWT - [ ] Control Plane requires JWT - [ ] NATS permissions enforced - [ ] Only Gateway exposed publicly --- ## ✅ Післяінцидентний hardening NODE1 (compose/deploy) 1. **Compose isolation** — фіксовані COMPOSE_PROJECT_NAME для node1/staging, унікальні мережі та volume-імена в кожному compose. 2. **Guard-rail команди** — обгортки stack-node1/stack-staging з правильним --project-directory, -f, і project name. 3. **NATS JetStream контракт** — ідемпотентний init для stream/consumer + ready-gate: worker стартує лише після наявності stream. 4. **GREENFOOD policy drift control** — версія/хеш промпту в логах gateway + короткий acceptance-check (реклама ігнорується, питання → ≤3 речення). **Наступний крок:** додати односторінковий Runbook: NODE1 Recovery & Safety (up/down/logs/health/DNS/webhook/Router).