Security posture
Defense in depth, by construction.
Six concentric controls. Every regulated path crosses all six. We ship signed images, publish SBOMs, run OWASP ZAP DAST against staging, and verify the audit chain hourly.
Defense in depth
Six controls. No single point of failure.
Threat model
What we defend against.
| Threat | Mitigations |
|---|---|
| Insider misuse (advisor / ops) | Per-resource OpenFGA relationships, OPA access policy, hash-chained audit, hourly verification, content-addressed evidence store with object-lock. |
| External attacker (network) | Kong WAF + rate limiting, mTLS service mesh, short-lived Zitadel JWTs (15-minute exp), Vault secrets with leases, Trivy + Syft SBOM scanning on every build. |
| Supply chain | Cosign-signed container images, SLSA provenance attestations, License Finder allowlist, pinned dependency lockfiles, distroless base images. |
| Data exfiltration | Per-tenant Postgres RLS enforced even on bypass attempts; OPA data_access policy filters every RAG retrieval chunk; PII redaction in logs (Pino allowlist). |
| Denial of service | Kong rate limiting per tenant; LiteLLM cost cap per tenant per day; Redis circuit breakers; HPAs on every deployment; per-task-queue worker pools. |
| Tampering with audit | BEFORE UPDATE/BEFORE DELETE triggers raise audit_events is append-only. Hash chain breaks if any row changes. Hourly verification. Vault transit signing on chain head. |
Commitments
What we promise. What we ship to prove it.
- Per-tenant data isolation. Every domain table has an RLS policy keyed on
app.tenant_id. CI fails if a new table lacks one. - Hash-chained audit. 100% of regulated mutations write an
AuditEvent. Hourly Temporal verification. - Signed releases. Every container image is cosign-signed; SLSA provenance attestation published.
- SBOM publishing. Syft generates SBOM on every release; published to GitHub release.
- SAST + DAST. ESLint security rules, Trivy filesystem and image scans, OWASP ZAP baseline against staging.
- Dependency hygiene. npm audit, pip-audit, Maven dependency-check, License Finder decisions file.
Responsible disclosure
If you find something, tell us.
We run a private responsible-disclosure program. Submit at security@modir.org. Findings of severity High or above are triaged within one business day; Critical within four hours. We will credit reporters in release notes by request.
PGP key fingerprint (placeholder): 0x4F1A 9C2E 88B0 2D43 — replace before launch.
We do not pursue legal action against good-faith researchers operating within the scope below.
Scope
*.modir.orgproduction endpoints- Released container images on
ghcr.io/modir-org/modir-* - Published SDK packages on
npmjs.com/@wealthos/*
Out of scope
- Denial of service against shared staging
- Social engineering of Modir employees
- Findings against third-party services we depend on (please report directly to them)
Security review
Run our security questionnaire.
We respond to standard vendor security questionnaires (CAIQ, SIG, ISO 27001 SoA) within five business days.