microdao-daarion/docs/SECURITY_HARDENING_SUMMARY.md

# Security Hardening - Implementation Summary

**Date:** 2026-01-19  
**Status:** Completed (Phase 1)

---

## ✅ Completed

### 1. Service-to-Service JWT Auth
- ✅ JWT auth module: `/opt/microdao-daarion/shared/service_auth.py`
- ✅ Memory API: JWT protection added to `/retrieve` and `/store`
- ✅ Control Plane: JWT protection added to `/prompts`, `/policy`, `/config`, `/quotas`
- ⏳ Router: JWT helper function added (needs integration in HTTP calls)
- ⏳ Gateway: JWT integration pending

### 2. Network Isolation
- ✅ Postgres: Public ports removed (internal only)
- ✅ Qdrant: Public ports removed (internal only)
- ✅ Neo4j: Public ports removed (internal only)
- ✅ Redis: Public ports removed (internal only)
- ✅ NATS: Public ports removed (monitoring port 8222 may remain)

### 3. NATS Security Configuration
- ✅ NATS accounts config: `/opt/microdao-daarion/nats/nats.conf`
- ⏳ NATS config needs to be applied to server
- ⏳ Service credentials need to be configured

---

## ⏳ Pending

### 4. Secrets Hardening
- [ ] JWT_SECRET set in all services (not default)
- [ ] NATS passwords changed from defaults
- [ ] API keys validated on startup

### 5. HTTP Hardening
- [ ] Rate limiting enforced
- [ ] Request size limits
- [ ] Security headers

### 6. Audit Integrity
- [ ] Audit stream append-only verified
- [ ] Audit access restricted

---

## Next Steps

1. **Apply NATS config:**
   ```bash
   # Mount NATS config and restart
   docker-compose restart nats
   ```

2. **Configure JWT_SECRET:**
   ```bash
   # Add to all service .env files
   JWT_SECRET=<strong-random-secret>
   SERVICE_ID=<service-name>
   SERVICE_ROLE=<service-role>
   ```

3. **Update Router/Gateway HTTP calls:**
   - Add JWT headers to Memory API calls
   - Add JWT headers to Control Plane calls

4. **Verification:**
   - Test DB isolation (ports not accessible)
   - Test JWT auth (401 without token)
   - Test NATS permissions

---

## Files Created

- `/opt/microdao-daarion/shared/service_auth.py` - JWT auth module
- `/opt/microdao-daarion/nats/nats.conf` - NATS accounts/permissions
- `/opt/microdao-daarion/docs/SECURITY_HARDENING_CHECKLIST.md` - Checklist
- `/opt/microdao-daarion/docker-compose.node1.yml` - Network isolation applied

---

## Acceptance Criteria

- [ ] DB ports not accessible from host
- [ ] Memory API requires JWT
- [ ] Control Plane requires JWT
- [ ] NATS permissions enforced
- [ ] Only Gateway exposed publicly

---

## ✅ Післяінцидентний hardening NODE1 (compose/deploy)

1. **Compose isolation** — фіксовані COMPOSE_PROJECT_NAME для node1/staging, унікальні мережі та volume-імена в кожному compose.
2. **Guard-rail команди** — обгортки stack-node1/stack-staging з правильним --project-directory, -f, і project name.
3. **NATS JetStream контракт** — ідемпотентний init для stream/consumer + ready-gate: worker стартує лише після наявності stream.
4. **GREENFOOD policy drift control** — версія/хеш промпту в логах gateway + короткий acceptance-check (реклама ігнорується, питання → ≤3 речення).

**Наступний крок:** додати односторінковий Runbook: NODE1 Recovery & Safety (up/down/logs/health/DNS/webhook/Router).