This document reflects the security controls currently implemented in the Rust engine and frontend runtime.

The engine requires an access token outside tests. Configure one of:

NEURAL_TOKEN=your-secret-token
NEURAL_ENGINE_ACCESS_TOKEN=your-secret-token

Protected REST requests use:

Authorization: Bearer <token>

The auth middleware is implemented in server-rs/src/middleware/auth.rs and uses constant-time token comparison via the subtle crate.

Browser WebSocket upgrades may pass auth through:

Sec-WebSocket-Protocol: bearer.<token>

Public bypasses currently exist for:

• GET /v1/engine/health
• GET /v1/engine/ws
• GET /v1/engine/live-voice

Route protection is applied in server-rs/src/router.rs.

The router applies these controls:

• boot readiness gate
• auth brute-force limiter
• security headers
• request ID injection
• rate-limit headers
• tracing spans
• deprecation middleware
• request timeout
• response compression
• CORS

Security headers are injected by server-rs/src/middleware/security_headers.rs:

• Content-Security-Policy
• Strict-Transport-Security
• X-Content-Type-Options
• X-Frame-Options
• Referrer-Policy

server-rs/src/middleware/cors.rs enforces an allow-list from ALLOWED_ORIGINS.

Behavior:

• ALLOWED_ORIGINS=* enables wildcard troubleshooting mode and disables credentials.
• A comma-separated list enables those exact origins with credentials.
• An empty value falls back to local development origins: localhost/127.0.0.1 on ports 5173 and 3000, plus tauri://localhost.

Secret redaction is centralized through server-rs/src/secret_redactor.rs and used by AppState broadcast helpers before log/event publication.

Sensitive environment keys include:

• NEURAL_TOKEN
• cloud provider API keys
• other provider and credential-style values recognized by the redactor

Logs and telemetry should never intentionally include raw token values.

server-rs/src/security/scanner.rs implements command/script risk detection. It checks:

• known loaded secrets
• common API key formats
• raw secret export patterns
• command concatenation such as ;, &&, and ||
• pipes and redirection
• command substitution
• optional aggressive checks when AGGRESSIVE_SECURITY=true

The scanner is intentionally conservative and can flag valid complex shell commands. Risky results should be treated as requiring review rather than automatically safe execution.

Security state is owned by SecurityHub in server-rs/src/state/hubs/sec.rs and assembled through AppState.

The security hub includes:

• Merkle audit trail
• budget guard
• shell scanner
• secret redactor
• system monitor
• permission policy
• deploy token

Oversight/security API routes are exposed under /v1/oversight/security/*.

PRIVACY_MODE=true steers runtime behavior toward local-only provider use. The privacy guard is started from startup::spawn_background_tasks.

Local insecure model-provider HTTP can be allowed with:

TADPOLE_ALLOW_LOCAL_HTTP=true

Before deploying beyond local development:

1. Set a strong NEURAL_TOKEN or NEURAL_ENGINE_ACCESS_TOKEN.
2. Set ALLOWED_ORIGINS explicitly for deployed or shared environments.
3. Validate that .env is excluded from source control.
4. Run frontend and Rust test suites.
5. Confirm protected endpoints reject missing and invalid bearer tokens.
6. Confirm the dashboard stores and sends the same token configured for the engine.
7. Review feature gates before enabling vector-memory or neural-audio.