docs: add SECURITY.md and update hardening guidelines (#1598 )

This commit adds a SECURITY.md file to codify the recent WebSocket security improvements and branch protection policies. ## Changes ### SECURITY.md - Comprehensive security policy document - Security principles and practices - Recent security improvements documentation - Security configuration guide - Vulnerability reporting process - Security best practices for users, developers, and deployments - Security audit log ### Security Improvements Documented 1. WebSocket gateway security (#1504, #1514) - Localhost binding by default - Token authentication - Rate limiting - Configuration via environment variables 2. Branch protection policies 3. Command injection prevention 4. ChromaDB telemetry disabled ### Configuration Guide - Environment variables documentation - Secure deployment instructions - nginx reverse proxy example ### Vulnerability Reporting - Responsible disclosure process - Response timeline - Contact information ## Testing - Verified document structure and content - Checked for completeness - Validated links and references Closes #1598
2026-04-15 11:16:03 -04:00
1 changed files with 162 additions and 0 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,162 @@
+# Security Policy
+
+## Overview
+
+The Nexus is a sovereign AI agent system that prioritizes security, privacy, and local-first operation. This document outlines our security practices and how to report vulnerabilities.
+
+## Security Principles
+
+1. **Local-first**: All data and processing stays on the user's machine by default
+2. **Minimal attack surface**: Expose only what's necessary
+3. **Defense in depth**: Multiple layers of security controls
+4. **Transparency**: Open source, auditable code
+5. **User sovereignty**: Users control their data and connections
+
+## Recent Security Improvements
+
+### WebSocket Gateway Security (Issue #1504, #1514)
+
+**Problem**: WebSocket gateway was exposed on `0.0.0.0` without authentication.
+
+**Solution**:
+- **Localhost binding by default**: Gateway now binds to `127.0.0.1` by default
+- **Token authentication**: Optional token-based authentication via `NEXUS_WS_TOKEN`
+- **Rate limiting**: Connection and message rate limiting
+- **Configuration via environment variables**:
+  - `NEXUS_WS_HOST`: Host to bind to (default: `127.0.0.1`)
+  - `NEXUS_WS_PORT`: Port to listen on (default: `8765`)
+  - `NEXUS_WS_TOKEN`: Authentication token (empty = no auth)
+
+### Branch Protection
+
+**Policy**: All repositories enforce branch protection rules on `main`:
+- Require pull requests for all changes
+- Require 1 approval before merge
+- Dismiss stale approvals on new commits
+- Block force pushes
+- Block branch deletion
+
+### Command Injection Prevention
+
+**Problem**: Shell injection vulnerabilities in commit messages and Electron IPC.
+
+**Solution**:
+- Input validation and sanitization
+- Use of parameterized commands
+- Avoid shell execution where possible
+- Use of safe APIs (e.g., `child_process.execFile` instead of `child_process.exec`)
+
+### ChromaDB Telemetry Disabled
+
+**Problem**: ChromaDB enables anonymous telemetry by default, leaking usage patterns.
+
+**Solution**:
+- Disabled telemetry in all client creation paths
+- Added `anonymized_telemetry=False` to all ChromaDB client instances
+
+## Security Configuration
+
+### Environment Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `NEXUS_WS_HOST` | `127.0.0.1` | WebSocket gateway host |
+| `NEXUS_WS_PORT` | `8765` | WebSocket gateway port |
+| `NEXUS_WS_TOKEN` | (empty) | Authentication token |
+| `GITEA_TOKEN` | (required) | Gitea API token |
+| `GITEA_URL` | `https://forge.alexanderwhitestone.com` | Gitea instance URL |
+
+### Secure Deployment
+
+For production deployments:
+
+1. **Use authentication**:
+   ```bash
+   export NEXUS_WS_TOKEN=$(openssl rand -hex 32)
+   ```
+
+2. **Bind to localhost** (default):
+   ```bash
+   export NEXUS_WS_HOST=127.0.0.1
+   ```
+
+3. **Use reverse proxy** for external access:
+   ```nginx
+   # nginx example
+   location /ws {
+       proxy_pass http://127.0.0.1:8765;
+       proxy_http_version 1.1;
+       proxy_set_header Upgrade $http_upgrade;
+       proxy_set_header Connection "upgrade";
+       proxy_set_header Host $host;
+   }
+   ```
+
+4. **Enable HTTPS** for external access
+
+## Reporting Vulnerabilities
+
+### Responsible Disclosure
+
+If you discover a security vulnerability, please follow responsible disclosure:
+
+1. **Do NOT** create a public issue
+2. **Email**: security@timmy.foundation (or contact Alexander directly)
+3. **Include**:
+   - Description of the vulnerability
+   - Steps to reproduce
+   - Potential impact
+   - Suggested fix (if any)
+
+### Response Timeline
+
+- **Acknowledgment**: Within 24 hours
+- **Assessment**: Within 72 hours
+- **Fix**: Within 7 days for critical issues
+- **Disclosure**: After fix is deployed
+
+## Security Best Practices
+
+### For Users
+
+1. **Keep software updated**: Regularly update The Nexus and dependencies
+2. **Use strong tokens**: Generate random, long tokens for authentication
+3. **Limit exposure**: Only expose services that need external access
+4. **Monitor logs**: Check logs for suspicious activity
+5. **Backup regularly**: Keep backups of important data
+
+### For Developers
+
+1. **Input validation**: Always validate and sanitize user input
+2. **Parameterized queries**: Use parameterized queries for database access
+3. **Least privilege**: Run with minimal required permissions
+4. **Secure defaults**: Default to secure configurations
+5. **Code review**: All changes require code review
+
+### For Deployment
+
+1. **Network segmentation**: Isolate services in network segments
+2. **Firewall rules**: Restrict access to necessary ports only
+3. **Regular updates**: Keep OS and dependencies updated
+4. **Monitoring**: Implement logging and monitoring
+5. **Backup strategy**: Regular, tested backups
+
+## Security Audit Log
+
+| Date | Issue | Description | Status |
+|------|-------|-------------|--------|
+| 2026-04-15 | #1504 | WebSocket gateway exposed on 0.0.0.0 | ✅ Fixed |
+| 2026-04-15 | #1514 | WebSocket security improvements | ✅ Fixed |
+| 2026-04-15 | #1423 | Command injection in Electron IPC | ✅ Fixed |
+| 2026-04-15 | #1430 | Shell injection in commit messages | ✅ Fixed |
+| 2026-04-15 | #1427 | ChromaDB telemetry enabled | ✅ Fixed |
+
+## Contact
+
+- **Security Issues**: security@timmy.foundation
+- **General Issues**: Create an issue on Gitea
+- **Emergency**: Contact Alexander directly
+
+## License
+
+This security policy is part of The Nexus project and is subject to the same license.