This document describes the security architecture, threat model, hardening practices, and vulnerability disclosure process for the Concord Cognitive Engine. It is intended for operators, contributors, and security researchers.
- Reporting Vulnerabilities
- Supported Versions
- Authentication and Authorization
- Token Lifecycle
- OAuth Integration
- Middleware and Transport Security
- Input Sanitization
- Rate Limiting
- Concord Shield -- Threat Detection
- Concord Mesh -- Transport Security
- Content Moderation
- Economy Security
- GRC Invariants -- Output Safety
- Privacy Zones
- LLM Security Considerations
- Infrastructure and Container Hardening
- Data Security and Encryption
- Unsafe Surfaces Registry
- Environment Security
- Dependency Security
- Ethos Invariants
- Compliance Considerations
- Incident Response
Do not file public GitHub issues for security vulnerabilities.
If you discover a security vulnerability in Concord, please report it through responsible disclosure:
| Detail | Value |
|---|---|
| security@concord-os.org | |
| Initial Response | Within 48 hours of receipt |
| Assessment | Full severity assessment within 7 calendar days |
| Disclosure | Coordinated disclosure after patch is available |
When reporting, please include:
- A clear description of the vulnerability and its potential impact.
- Detailed steps to reproduce, including environment details.
- Any proof-of-concept code or screenshots.
- Your preferred attribution name (if you wish to be credited).
We will acknowledge receipt within 48 hours, provide an initial severity assessment within 7 days, and work with you on a coordinated disclosure timeline. We will not pursue legal action against researchers acting in good faith.
| Version | Status | Security Updates |
|---|---|---|
| 5.x.x | Current | Yes |
| 4.x.x | Supported | Critical fixes |
| < 4.0 | EOL | No |
Only the current major release receives full security patches. The previous major release receives critical-severity fixes only.
Concord supports four authentication modes, configured via AUTH_MODE:
| Mode | Description | Use Case |
|---|---|---|
public |
No authentication required | Local development, air-gapped |
apikey |
API key in Authorization header |
Service-to-service communication |
jwt |
JWT bearer tokens with refresh token rotation | Programmatic and browser access |
hybrid |
JWT + API key + cookie support (default) | Production deployments |
| Method | Client Type | Security Level | XSS Protected |
|---|---|---|---|
| HttpOnly Cookies | Browser clients | Highest | Yes |
| JWT Bearer Token | Programmatic APIs | High | No (token in code) |
| API Key | Service-to-service | High | N/A |
- Algorithm: bcryptjs
- Default rounds: 12 (configurable via
BCRYPT_ROUNDS) - Registration is rejected if the bcrypt module is unavailable, preventing plaintext storage
The first registered user is automatically assigned the owner role with wildcard
(*) scopes. Subsequent users receive the member role with read and write
scopes. Privileged operations check for admin, owner, or founder roles, or
the economy:admin scope.
Administrative operations in the economy subsystem accept a FOUNDER_SECRET header
as an operational backdoor. This comparison uses crypto.timingSafeEqual to prevent
timing side-channel attacks.
| Property | Value |
|---|---|
| Algorithm | HS256 |
| Default Expiry | 15 minutes (access) / 7 days (configurable via JWT_EXPIRES_IN) |
| Secret Length | Minimum 32 characters in production |
| Signing Secret | JWT_SECRET environment variable |
| Property | Value |
|---|---|
| Default Expiry | 7 days (configurable via REFRESH_TOKEN_EXPIRES) |
| Storage | HttpOnly cookie (SameSite=Strict, Secure) |
| Rotation | New refresh token issued on each use |
| Family Tracking | Tokens belong to families; reuse invalidates the entire family |
All authentication cookies are set with the following attributes:
HttpOnly: true (inaccessible to JavaScript)
Secure: true (HTTPS only, in production)
SameSite: Strict (no cross-site transmission)
Revoked tokens are tracked across three layers for defense in depth:
- In-memory Set -- immediate invalidation, no I/O latency
- SQLite -- persistent across restarts
- Redis -- shared across instances (when federation is enabled)
Refresh tokens are organized into families. If a refresh token that has already been rotated is presented again (indicating theft and replay), the entire token family is invalidated, forcing the legitimate user to re-authenticate and locking out the attacker.
| Provider | Protocol | Client Secret Type | CSRF Protection |
|---|---|---|---|
| OAuth 2.0 | Shared secret | Random state parameter |
|
| Apple | Sign In with Apple | ES256 JWT | Random state parameter |
- State parameter: A 32-byte cryptographically random hex string is generated per authorization request and validated on callback to prevent CSRF.
- Apple client secret: Generated as a short-lived ES256 JWT signed with the Apple private key, not stored as a static string.
- Provider availability: OAuth routes are only mounted when the corresponding environment variables are configured. Unconfigured providers return 404.
- No external OAuth libraries: Token exchange uses Node.js built-in
fetch(Node 18+) to minimize supply-chain risk.
All responses include the following headers, enforced at both the application layer (Helmet.js) and the reverse proxy layer (nginx):
| Header | Value | Purpose |
|---|---|---|
Content-Security-Policy |
Per-request nonce for scripts; 'self' base |
XSS prevention |
Strict-Transport-Security |
max-age=31536000; includeSubDomains; preload |
Force HTTPS |
X-Frame-Options |
SAMEORIGIN |
Clickjacking prevention |
X-Content-Type-Options |
nosniff |
MIME-sniffing prevention |
X-XSS-Protection |
1; mode=block |
Legacy XSS filter |
Referrer-Policy |
strict-origin-when-cross-origin |
Referrer leakage prevention |
Permissions-Policy |
camera=(), microphone=(), geolocation=() |
Feature restriction |
- Script nonce: A 16-byte random nonce is generated per request via
crypto.randomBytes(16)and injected into the CSPscript-srcdirective. - Production mode:
unsafe-evalis removed; only nonce-authenticated andunsafe-inlinescripts are allowed. - Development mode:
unsafe-evalis permitted for hot-reload tooling. - Frame sources: Blocked (
frame-src 'none'). - Object sources: Blocked (
object-src 'none'). - Form actions: Restricted to
'self'.
- In production,
ALLOWED_ORIGINSmust be explicitly set. Wildcard origins are not permitted. credentials: trueis enabled for cookie-based authentication.- The
connect-srcCSP directive is dynamically populated fromALLOWED_ORIGINS.
State-changing requests (POST, PUT, DELETE, PATCH) require a valid CSRF token
using the double-submit cookie pattern:
Cookie: _csrf=<token>
Header: X-CSRF-Token: <token>
The server validates that the header value matches the cookie value. The frontend API client handles this automatically.
Per-endpoint body size limits prevent denial-of-service via oversized payloads:
| Endpoint Category | Maximum Body Size |
|---|---|
| Chat | 256 KB |
| Auth (register) | 16 KB |
| Auth (login) | 4 KB |
| Default | 10 MB |
| nginx upload | 25 MB |
- Request ID: Every request receives a unique identifier for tracing.
- Request timeout: Configurable per-request timeout to prevent hung connections.
- Compression: gzip compression at the application and nginx layers.
- Idempotency: Write operations support idempotency keys to prevent duplicate effects.
All user input is sanitized before processing. The sanitization middleware detects and blocks the following attack vectors:
Blocked patterns:
<script>...</script>
Event handlers: onclick=, onerror=, onload=
Protocol handlers: javascript:
Data URIs: data:*;base64
Logged and monitored patterns:
UNION SELECT, INSERT INTO, DROP TABLE
DELETE FROM, UPDATE SET, EXECUTE
Note: Concord uses parameterized queries (prepared statements) via better-sqlite3 as the primary SQL injection defense. The sanitization layer provides defense-in-depth logging and alerting.
Blocked keys in request bodies:
__proto__, constructor, prototype
Rate limiting is enforced at multiple layers:
| Endpoint Type | Limit | Window |
|---|---|---|
| Authentication | 10 requests | 1 minute |
| API (general) | 100 requests | 1 minute |
| Economy transfers | 30 transactions | 1 minute (per user) |
| Zone | Rate | Burst |
|---|---|---|
| API | 10 r/s | 20 |
| General | 30 r/s | -- |
The nginx rate limiting operates independently of the application layer, providing defense against attacks that bypass the application.
Concord Shield is a three-layer security architecture that orchestrates open-source security tools and feeds all findings into the DTU lattice.
Incoming Data
|
v
[ SCAN ] -----> ClamAV (malware), YARA-X (patterns)
|
v
[ ANALYZE ] --> Suricata (network IDS), Snort (IPS), Zeek (behavioral)
|
v
[ FORTIFY ] --> OpenVAS (vulnerabilities), Wazuh (SIEM/host monitoring)
|
v
Threat DTU --> Pain Memory (never pruned)
| Tool | Function | Integration Mode |
|---|---|---|
| ClamAV | Malware scanning | clamd daemon |
| YARA-X | Pattern matching/classification | Rule engine |
| Suricata | Network intrusion detection | Real-time IDS |
| Snort | Intrusion prevention | IPS mode |
| OpenVAS | Vulnerability scanning | Scheduled scans |
| Wazuh | Host monitoring and SIEM | Agent-based |
| Zeek | Behavioral network analysis | Passive monitor |
| Mode | Trigger | Tools Engaged |
|---|---|---|
| Passive | Always-on | Suricata, Zeek |
| Active | File ingestion | ClamAV scans all files |
| Scheduled | Periodic timer | OpenVAS vulnerability scan |
| On-demand | User request via chat | Full tool sweep |
| User-initiated | File/URL/hash submission | Targeted analysis |
- Every detection is stored as a threat DTU tagged with
pain_memory. - Pain memory DTUs are never pruned by the forgetting engine.
- Threat signatures propagate to all users in one heartbeat tick, providing collective immunity: a threat detected for one user instantly protects all users.
- Meta-derivation runs cross-threat pattern discovery across all threat DTUs.
- Additive only -- Shield never modifies existing systems.
- Silent failure -- Shield itself never crashes the platform.
- Every detection is a DTU -- full audit trail.
- Pain integration -- every threat becomes pain memory, never pruned.
- Collective immunity -- one detection protects all users.
- All through chat -- no separate security UI.
Concord Mesh provides infrastructure-independent DTU transmission across seven transport layers, each with distinct security characteristics.
| Layer | Protocol | Range | Bandwidth | Requires Infrastructure |
|---|---|---|---|---|
| Internet | HTTPS/WSS over TCP | Global | High | Yes |
| WiFi Direct | mDNS + direct TCP | ~100m | High | No |
| Bluetooth/BLE | RFCOMM/GATT | ~10-30m | Medium | No |
| LoRa | LoRa modulation | 2-15km/hop | Very Low | No |
| RF/Ham Packet | AX.25/JS8Call | Regional | Very Low | No |
| Telephone | V.92 modem | Global | Low | Yes |
| NFC | NDEF | ~4cm | Tap | No |
- Self-verifying: Every DTU carries a SHA-256 content hash in its 48-byte header. Recipients verify integrity without relying on TLS or channel security.
- Self-contained: DTUs require no server lookup, no session state, and arrive complete. No man-in-the-middle can inject partial state.
- Store-and-forward: DTUs survive disconnected operation. No persistent connection is required. The DTU waits for the next available channel.
- Automatic routing: The mesh selects the optimal transport path. Users never manually pick channels, reducing misconfiguration risk.
- Adaptive failover: If a channel drops, the next available channel picks up instantly with no data loss.
The moderation system supports ten report categories:
| Category | Description |
|---|---|
spam |
Unsolicited or repetitive content |
harassment |
Targeted abuse or bullying |
hate_speech |
Content promoting hatred of groups |
violence |
Graphic violence or threats |
sexual_content |
Explicit sexual material |
misinformation |
Verifiably false claims |
copyright |
Intellectual property infringement |
impersonation |
Pretending to be another person/entity |
self_harm |
Content promoting self-harm or suicide |
other |
Reports not fitting other categories |
User Report / Auto-Flag
|
v
[ Pending ] --> [ Reviewing ] --> [ Resolved ]
| |
v v
[ Escalated ] [ Dismissed ]
- Flag -- mark content for review
- Warn -- issue a warning to the user
- Restrict -- limit content visibility
- Remove -- remove content (preserving original for restoration)
- Suspend -- suspend user account
- Restore -- restore previously removed content
Repeated violations escalate through a strike system: warnings progress to temporary suspensions and, for persistent violations, permanent action.
Content is automatically flagged via keyword pattern matching and pattern detection.
Auto-flagged content enters the moderation queue with the source recorded as
auto_keyword or auto_pattern.
Every moderation action produces an audit log entry. Content is never silently removed. Every action has a paper trail, and removed content can be restored.
The Concord economy handles token transfers, purchases, and marketplace transactions with financial-grade safety guarantees.
All transfers execute inside a single SQLite transaction. If any step fails, nothing commits. There is no partial state:
BEGIN TRANSACTION
1. Validate sender balance (inside transaction to prevent race conditions)
2. Compute fee
3. Create debit record (sender)
4. Create credit record (recipient)
5. Create fee record (platform)
COMMIT (all-or-nothing)
Balance validation occurs inside the SQLite transaction, not before it. This prevents time-of-check-to-time-of-use (TOCTOU) race conditions where concurrent requests could overdraft an account.
| Guard | Description |
|---|---|
| Amount validation | Positive numbers only, checked before transaction |
| Balance validation | Verified inside transaction (prevents races) |
| Self-transfer block | Users cannot transfer to themselves |
| Rate limiting | 30 transactions per user per minute |
| Idempotency | Duplicate refId returns the original result |
| Founder secret | Timing-safe comparison via crypto.timingSafeEqual |
Every economy action is logged to the audit_log table with the following fields:
| Field | Description |
|---|---|
action |
Operation type (e.g., transfer, token_purchase) |
userId |
Acting user ID |
amount |
Transaction amount |
txId |
Ledger transaction or batch ID |
ip |
Client IP address |
userAgent |
Client user-agent string |
requestId |
X-Request-ID header for tracing |
timestamp |
ISO 8601 timestamp |
Audit entries are written to both the SQLite database (persistent) and console (real-time monitoring).
The Governance, Risk, and Compliance (GRC) module enforces seven core invariants on all system outputs before they reach users.
| Invariant | Purpose |
|---|---|
NoNegativeValence |
Prevents outputs with negative emotional charge |
RealityGateBeforeEffects |
Verifies payload stays inside the lattice reality |
NoUnlabeledAssumptions |
Ensures all assumptions are explicitly labeled |
NoSaaSMinimizeRegression |
Prevents minimizing or SaaS-ifying user intent |
FounderOverrideAllowed |
Preserves founder override capability |
NoSystemJargon |
Removes internal terminology from user-facing output |
GroundingCheck |
Validates outputs are grounded in source material |
When an invariant check fails, the GRC module attempts automatic repair:
- The payload is analyzed to identify the violation.
- A repair is attempted that preserves the semantic intent.
- If repair succeeds, the output continues with a repair annotation.
- If repair fails, the output is blocked and the failure is logged.
Repairs follow strict rules: no new claims are introduced, semantic intent is preserved, and content is never sanitized to the point of uselessness.
System jargon patterns (e.g., references to DTUs, substrates, lattices, macros, Ollama, brain cortex) are automatically removed from user-facing output to prevent information leakage about internal architecture.
The Atlas Signal Cortex implements a four-tier privacy architecture with absolute guarantees at the highest level.
| Tier | Zone Types | Interior Data | Override Possible |
|---|---|---|---|
ABSOLUTE |
Residential, medical, religious | Never created | No |
RESTRICTED |
Government, military | Exterior only | No (sovereign limited) |
CONTROLLED |
Commercial, industrial | Limited access | Research tier only |
OPEN |
Undeveloped, geology, water, public | Full access | N/A |
Interior data for ABSOLUTE zones is never generated. The reconstruction
algorithm skips the interior volume entirely. There is nothing to reveal, filter,
or hide -- the data does not exist.
The following are suppressed at every privacy tier, including sovereign:
- Personal presence detection -- no person-tracking at any level.
- Vehicle tracking -- no vehicle identification or tracking at any level.
These suppressions cannot be overridden by any role, configuration, or API call.
When using LLM features (chat, forge, dream), the following mitigations are in place:
| Risk | Mitigation |
|---|---|
| Direct injection | Input sanitization before LLM processing |
| Indirect injection | Output validation before storage |
| Data exfiltration | Sandboxed execution; LLM-generated code never runs directly |
| Abuse via volume | Rate limiting on all LLM endpoints |
| Audit gap | All LLM interactions are logged |
Cloud LLM features require explicit opt-in at two independent levels:
- Environment level:
CLOUD_LLM_ENABLED=truemust be set. - Session level: The user must explicitly enable cloud LLM per session.
No data is sent to external LLM APIs without both levels of consent.
For maximum data sovereignty, Concord supports local LLM via Ollama:
OLLAMA_HOST=http://localhost:11434
OLLAMA_MODEL=llama3.2
LLM_ENABLED=true
CLOUD_LLM_ENABLED=falseIn this configuration, no data leaves the host machine.
| Measure | Implementation |
|---|---|
| Non-root execution | Containers run as UID 1001 (concord user) |
| No privilege escalation | security_opt: no-new-privileges:true |
| tmpfs with restrictions | /tmp mounted as tmpfs with noexec,nosuid |
| Production-only deps | npm ci --omit=dev excludes dev dependencies |
| Build-time tests | Docker build fails if any test fails |
| Log rotation | JSON file driver, max 50MB per file, 3 files max |
| Setting | Value |
|---|---|
| Protocols | TLSv1.2, TLSv1.3 |
| Cipher suites | ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384 |
| HSTS | max-age=31536000; includeSubDomains; preload |
| Session tickets | Disabled (ssl_session_tickets off) |
| HTTP redirect | All HTTP (port 80) traffic 301-redirected to HTTPS |
| Server preference | ssl_prefer_server_ciphers off (client selects best mutual cipher) |
- Rate limiting at the reverse proxy layer (independent of application).
- Security headers applied at the nginx level as well as the application level.
- Let's Encrypt ACME challenge path exposed for automated certificate renewal.
client_max_body_sizealigned with backend limits.
| Layer | Method |
|---|---|
| In transit | TLS 1.2+ enforced via nginx |
| At rest | Recommended: encrypted filesystem for DATA_DIR |
| Passwords | bcrypt with 12 rounds (configurable) |
| JWT signing | HS256 with minimum 32-character secret |
- Each user's DTUs are isolated by
ownerId. - Permission system controls read, write, and delete access.
- Global DTUs require council approval.
# Backups stored in DATA_DIR/backups
# Restrict permissions to the owning process user only
chmod 700 /data/backupsThe following capabilities expose attack surface beyond standard CRUD operations. Each is disabled by default in production unless explicitly enabled.
| Surface | Environment Gate | Default | Risk | Notes |
|---|---|---|---|---|
| Terminal/sandbox | ENABLE_TERMINAL_EXEC |
false |
Critical | Spawns bash -c <cmd> in entity workspace. Council-gated for medium+ risk. Only enable on air-gapped instances. |
| Federation | FEDERATION_ENABLED |
false |
Medium | Redis pub/sub between instances. Opens cross-instance DTU sync. |
| Whisper STT | WHISPER_CPP_BIN |
Empty | Low | Spawns whisper binary on audio files. Path must be pre-configured. |
| Piper TTS | PIPER_BIN |
Empty | Low | Spawns piper binary for speech synthesis. Path must be pre-configured. |
| Image generation | SD_URL / COMFYUI_URL |
Empty | Low | HTTP calls to local Stable Diffusion. |
curl -s http://localhost:5050/api/status | jq '.infrastructure.capabilities'Returns:
{
"sqlite": true,
"jwt": true,
"bcrypt": true,
"ollama": true,
"exec": false,
"federation": false,
"whisper": false,
"piper": false,
"imagegen": false
}The following must be set before deploying to production:
JWT_SECRET=<minimum 32 characters, 64+ recommended>
ADMIN_PASSWORD=<minimum 12 characters>
NODE_ENV=production
ALLOWED_ORIGINS=https://your-domain.comNever commit secrets to version control.
| Approach | Suitability |
|---|---|
| Kubernetes Secrets / AWS SSM | Production orchestration |
.env file with chmod 600 |
Single-server deployment |
| HashiCorp Vault / AWS Secrets Manager | Enterprise environments |
Security-relevant events are logged to the audit_log table:
- Authentication attempts (success and failure)
- Authorization failures
- Rate limit triggers
- Input sanitization triggers (potential attack attempts)
- Admin actions
- Economy transactions
Access audit logs via /api/auth/audit-log (admin-only endpoint).
| Frequency | Action |
|---|---|
| Every PR | npm audit runs in CI |
| Weekly | Manual review of high and critical vulnerabilities |
| Within 48h | Security patches applied for critical CVEs |
Optional dependencies with native code (better-sqlite3, @xenova/transformers) are:
- Only installed when explicitly needed.
- Compiled in isolated Docker build stages.
- Not required for core functionality (the system falls back gracefully).
These security-relevant principles are immutable and enforced at runtime. They cannot be changed by configuration, environment variables, or API calls:
NO_TELEMETRY The system never phones home.
NO_SECRET_MONITORING No hidden tracking or monitoring.
NO_USER_PROFILING No behavioral analysis or profiling.
CLOUD_LLM_OPT_IN_ONLY Explicit two-level consent required for cloud LLM.
Concord's architecture supports compliance with common regulatory frameworks:
| Framework | Supported Features |
|---|---|
| GDPR | Data isolation by user, export capability, deletion support, no profiling |
| SOC 2 | Audit logging, access controls, encryption, incident response |
| HIPAA | Configurable for healthcare use (consult your compliance team) |
- Isolate -- Disconnect affected systems from the network immediately.
- Preserve -- Capture logs, database snapshots, and system state before any changes.
- Rotate -- Change all secrets:
JWT_SECRET,FOUNDER_SECRET,SESSION_SECRET, API keys, and database credentials. - Notify -- Report to the security team at security@concord-os.org.
- Analyze -- Review audit logs (
/api/auth/audit-log), economy audit entries, and nginx access logs to determine scope. - Remediate -- Apply patches, update dependencies, and harden configurations based on findings.
- Communicate -- Notify affected users per your disclosure obligations.
Before deploying to production, verify the following:
-
ENABLE_TERMINAL_EXECis absent or set tofalse -
JWT_SECRETis at least 32 characters (64+ recommended) -
ADMIN_PASSWORDis at least 12 characters -
ALLOWED_ORIGINSis explicitly set (no wildcards) -
NODE_ENVis set toproduction -
GRAFANA_USERandGRAFANA_PASSWORDare explicitly set (no defaults) - nginx security headers verified via
curl -I https://your-domain.com -
/api/statusconfirms"exec": false -
npm auditshows no high or critical findings - Grafana bound to localhost or behind VPN
- TLS certificate is valid and HSTS is active
- Backup directory permissions set to
700 - Log rotation is configured
This document is maintained alongside the codebase. If you identify inaccuracies or have suggestions for improvement, please submit a pull request or contact security@concord-os.org.