Security

Identity and session

• New passwords use Argon2id; legacy bcrypt hashes upgrade automatically on next login.
• Access JWT expires in 15 minutes, identified by jti for granular revocation.
• Refresh tokens stored as hashes and rotated on each use. Detected reuse triggers preventive revocation of the token family.
• Temporary lockout after 5 failed attempts in 15 minutes.
• Authentication and selected sensitive actions are recorded in auth_eventos (PostgreSQL), with timestamp, IP, and detail.

Refresh tokens travel in an httpOnly · Secure · SameSite=Strict cookie. The access token stays in tab memory; it is not stored in localStorage. The console uses CSP, HSTS, and defensive headers (COOP, CORP, etc.).

API keys

• Each key has a visible prefix (for console identification) and a hashed secret. The secret is shown only at creation time.
• Mandatory scope (agentes, proxy-ollama, or other explicit scopes), following least privilege.
• Optional per-key expiration.
• Revocation preserves audit history; deletion removes the record entirely.

Isolation between Organizations

• Per-Organization file directories with path validation against directory traversal.
• Access tokens carry tenant_id; the API rejects calls that attempt to access another Organization's data.
• Production Datastores use a dedicated logical namespace (dedicated PostgreSQL schema, isolated instance on higher plans).
• Logs and audit data are separated by tenant. Cross-tenant admin access is logged.

Network and TLS

• Automatic TLS via Let's Encrypt for Gateways with tls: true; renewal occurs before expiry.
• HTTP/2 enabled by default.
• Versions below TLS 1.2 are not accepted; TLS 1.3 is preferred.
• Ciphers aligned with a modern configuration.

Platform secrets

Stripe keys, webhook secrets, and other operational credentials are stored encrypted with Fernet using a master key loaded at API startup. Secrets are decrypted only in the process that uses them and are never returned to the console or frontend.

Recommendation: use Stripe Restricted API Keys (rk_) with minimal scope (Charges, Customers, Invoices, PaymentIntents). The console flags use of unrestricted keys.

Host hardening

• UFW with explicit whitelist for HTTPS, SSH, and mail ports.
• fail2ban for SSH, FTP, and SMTP AUTH attempts.
• Security updates via unattended-upgrades.
• SSH with explicit AllowUsers, PasswordAuthentication off, and Ed25519 or RSA-4096 keys only.
• systemd units with NoNewPrivileges, ProtectSystem, PrivateTmp, and RestrictAddressFamilies.

Rate limit

• Applied in two layers: Nginx (perimeter) and FastAPI/SlowAPI (per-route rules).
• Login: 5 attempts per 15 minutes per IP, lockout after 5 failures. /auth/me: 60 req/min. Resource creation: 30 req/min.
• Excess traffic receives HTTP 429 with Retry-After in seconds.

Vulnerability reporting

To report a vulnerability, send a description and proof of concept via the contact channel.