daarion-admin/microdao-daarion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
82d5ff2a4fb8a3d2986d9a6d6e77c36282a70760
microdao-daarion/docs/architecture_inventory/05_SECURITY_AND_ACCESS.md

2.5 KiB
Raw Blame History

Security and Access

Secrets Handling (Redacted)

  • Secrets are loaded from .env, .env.local, service .env, and compose environment blocks.
  • Sensitive values were detected in tracked files; this inventory redacts all such values as <REDACTED>.
  • Example secret-bearing keys (redacted): *_TOKEN, *_API_KEY, POSTGRES_PASSWORD, JWT_SECRET, MINIO_*, NATS_URL credentials.

AuthN/AuthZ

  • Internal service auth patterns exist (service_auth.py modules, JWT-related env in staging).
  • Tool-level authorization is per-agent allowlist in services/router/agent_tools_config.py.
  • Policy/control-plane endpoints are defined in services/control-plane/main.py (/policy, /quotas, /config) but service deployment is environment-dependent.

NATS Access Controls

  • nats/nats.conf defines accounts and publish/subscribe permissions (router, worker, gateway, memory, system).
  • Security hardening doc flags pending actions (e.g., rotate defaults, enforce config at runtime).

Network/Firewall Hardening

  • Firewall script exists: ops/hardening/apply-node1-firewall.sh.
  • Fail2ban nginx jails exist: ops/hardening/fail2ban-nginx.conf.
  • Nginx edge config includes rate limiting and connection limiting.

Privacy / Data Governance

  • Privacy and retention docs present: docs/PRIVACY_GATE.md, docs/DATA_RETENTION_POLICY.md, docs/MEMORY_API_POLICY.md.
  • Memory schema includes PII/consent/account-linking structures (migrations/046, 049, 052).
  • KYC schema stores attestation status and explicitly avoids raw PII fields.

E2EE / Threat Model References

  • Security architecture references are present in docs and consolidated runtime snapshots; no complete formal threat model file was found in active root docs with that exact title.

Redaction Register (locations)

  • .env
  • .env.example
  • .env.local
  • docker-compose.node1.yml
  • docker-compose.staging.yml
  • docker-compose.staging.override.yml
  • docker-compose.backups.yml
  • services/memory-service/.env
  • services/market-data-service/.env
  • services/ai-security-agent/.env.example

Source pointers

  • nats/nats.conf
  • services/router/agent_tools_config.py
  • services/control-plane/main.py
  • ops/nginx/node1-api.conf
  • ops/hardening/apply-node1-firewall.sh
  • ops/hardening/fail2ban-nginx.conf
  • docs/SECURITY_HARDENING_SUMMARY.md
  • docs/PRIVACY_GATE.md
  • docs/DATA_RETENTION_POLICY.md
  • migrations/046_memory_service_full_schema.sql
  • migrations/049_memory_v3_human_memory_model.sql
  • migrations/052_account_linking_schema.sql
Reference in New Issue View Git Blame Copy Permalink