Security posture

MemoryNode runs as a single Cloudflare Worker with Supabase as the data plane. This document captures the current launch security model.

Authentication modes

• API routes use x-api-key (hashed at rest).
• Dashboard routes use session cookie + CSRF token.
• Admin routes use x-admin-token and optional ADMIN_ALLOWED_IPS allowlist.
• Billing webhook routes use PayU signature verification and shared webhook secret.

Core controls

• Per-key and per-route rate limits.
• Workspace concurrency caps for write-heavy routes.
• Cost guardrails for AI-heavy operations.
• Request ID and audit event logging for privileged operations.
• Tenant isolation checks on memory read/write/search paths.
• Webhook internal token auth is route-bound to POST /v1/memories only (not accepted as a general alternate auth mode across routes).

Secrets

• Store secrets via wrangler secret put; never commit to git.
• Required production secrets are validated by pnpm check:config.
• Local examples remain in *.example files only.

Operational checks

• pnpm secrets:check:tracked
• pnpm check:wrangler
• pnpm check:config
• pnpm test