ef3473db21
Complete snapshot of /opt/microdao-daarion/ from NODE1 (144.76.224.179).
This represents the actual running production code that has diverged
significantly from the previous main branch.
Key changes from old main:
- Gateway (http_api.py): expanded from ~40KB to 164KB with full agent support
- Router: new /v1/agents/{id}/infer endpoint with vision + DeepSeek routing
- Behavior Policy: SOWA v2.2 (3-level: FULL/ACK/SILENT)
- Agent Registry: config/agent_registry.yml as single source of truth
- 13 agents configured (was 3)
- Memory service integration
- CrewAI teams and roles
Excluded from snapshot: venv/, .env, data/, backups, .tgz archives
Co-authored-by: Cursor <cursoragent@cursor.com>
3.3 KiB
3.3 KiB
Security Hardening - Implementation Summary
Date: 2026-01-19
Status: Completed (Phase 1)
✅ Completed
1. Service-to-Service JWT Auth
- ✅ JWT auth module:
/opt/microdao-daarion/shared/service_auth.py - ✅ Memory API: JWT protection added to
/retrieveand/store - ✅ Control Plane: JWT protection added to
/prompts,/policy,/config,/quotas - ⏳ Router: JWT helper function added (needs integration in HTTP calls)
- ⏳ Gateway: JWT integration pending
2. Network Isolation
- ✅ Postgres: Public ports removed (internal only)
- ✅ Qdrant: Public ports removed (internal only)
- ✅ Neo4j: Public ports removed (internal only)
- ✅ Redis: Public ports removed (internal only)
- ✅ NATS: Public ports removed (monitoring port 8222 may remain)
3. NATS Security Configuration
- ✅ NATS accounts config:
/opt/microdao-daarion/nats/nats.conf - ⏳ NATS config needs to be applied to server
- ⏳ Service credentials need to be configured
⏳ Pending
4. Secrets Hardening
- JWT_SECRET set in all services (not default)
- NATS passwords changed from defaults
- API keys validated on startup
5. HTTP Hardening
- Rate limiting enforced
- Request size limits
- Security headers
6. Audit Integrity
- Audit stream append-only verified
- Audit access restricted
Next Steps
-
Apply NATS config:
# Mount NATS config and restart docker-compose restart nats -
Configure JWT_SECRET:
# Add to all service .env files JWT_SECRET=<strong-random-secret> SERVICE_ID=<service-name> SERVICE_ROLE=<service-role> -
Update Router/Gateway HTTP calls:
- Add JWT headers to Memory API calls
- Add JWT headers to Control Plane calls
-
Verification:
- Test DB isolation (ports not accessible)
- Test JWT auth (401 without token)
- Test NATS permissions
Files Created
/opt/microdao-daarion/shared/service_auth.py- JWT auth module/opt/microdao-daarion/nats/nats.conf- NATS accounts/permissions/opt/microdao-daarion/docs/SECURITY_HARDENING_CHECKLIST.md- Checklist/opt/microdao-daarion/docker-compose.node1.yml- Network isolation applied
Acceptance Criteria
- DB ports not accessible from host
- Memory API requires JWT
- Control Plane requires JWT
- NATS permissions enforced
- Only Gateway exposed publicly
✅ Післяінцидентний hardening NODE1 (compose/deploy)
- Compose isolation — фіксовані COMPOSE_PROJECT_NAME для node1/staging, унікальні мережі та volume-імена в кожному compose.
- Guard-rail команди — обгортки stack-node1/stack-staging з правильним --project-directory, -f, і project name.
- NATS JetStream контракт — ідемпотентний init для stream/consumer + ready-gate: worker стартує лише після наявності stream.
- GREENFOOD policy drift control — версія/хеш промпту в логах gateway + короткий acceptance-check (реклама ігнорується, питання → ≤3 речення).
Наступний крок: додати односторінковий Runbook: NODE1 Recovery & Safety (up/down/logs/health/DNS/webhook/Router).