HardMax71
diff --git a/‎.github/workflows/release-deploy.yml‎
Lines changed: 7 additions & 1 deletion b/‎.github/workflows/release-deploy.yml‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎docs/SECURITY.md‎
Lines changed: 44 additions & 5 deletions b/‎docs/SECURITY.md‎
Lines changed: 44 additions & 5 deletions
@@ -129,11 +129,14 @@ jobs:
           MAILJET_FROM_ADDRESS: ${{ secrets.MAILJET_FROM_ADDRESS }}
           MAILJET_HOST: ${{ secrets.MAILJET_HOST }}
           GRAFANA_ALERT_RECIPIENTS: ${{ secrets.GRAFANA_ALERT_RECIPIENTS }}
+          REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}
+          MONGO_ROOT_USER: ${{ secrets.MONGO_ROOT_USER }}
+          MONGO_ROOT_PASSWORD: ${{ secrets.MONGO_ROOT_PASSWORD }}
         with:
           host: ${{ secrets.DEPLOY_HOST }}
           username: ${{ secrets.DEPLOY_USER }}
           key: ${{ secrets.DEPLOY_SSH_KEY }}
-          envs: GHCR_TOKEN,GHCR_USER,IMAGE_TAG,GRAFANA_ADMIN_USER,GRAFANA_ADMIN_PASSWORD,MAILJET_API_KEY,MAILJET_SECRET_KEY,MAILJET_FROM_ADDRESS,MAILJET_HOST,GRAFANA_ALERT_RECIPIENTS
+          envs: GHCR_TOKEN,GHCR_USER,IMAGE_TAG,GRAFANA_ADMIN_USER,GRAFANA_ADMIN_PASSWORD,MAILJET_API_KEY,MAILJET_SECRET_KEY,MAILJET_FROM_ADDRESS,MAILJET_HOST,GRAFANA_ALERT_RECIPIENTS,REDIS_PASSWORD,MONGO_ROOT_USER,MONGO_ROOT_PASSWORD
           command_timeout: 10m
           script: |
             set -e
@@ -153,6 +156,9 @@ jobs:
             export MAILJET_FROM_ADDRESS="$MAILJET_FROM_ADDRESS"
             export GF_SMTP_HOST="$MAILJET_HOST"
             export GRAFANA_ALERT_RECIPIENTS="$GRAFANA_ALERT_RECIPIENTS"
+            export REDIS_PASSWORD="$REDIS_PASSWORD"
+            export MONGO_ROOT_USER="$MONGO_ROOT_USER"
+            export MONGO_ROOT_PASSWORD="$MONGO_ROOT_PASSWORD"
             docker compose pull
             docker compose up -d --remove-orphans --no-build --wait --wait-timeout 180
 
 
@@ -4,16 +4,55 @@ Security patches go into `main` and the latest release. If you're running someth
 
 ## Reporting vulnerabilities
 
-Found a security issue? Don't open a public GitHub issue - email [max.azatian@gmail.com](mailto:max.azatian@gmail.com) instead.
+Found a security issue? Don't open a public GitHub issue - email [max.azatian@gmail.com](mailto:max.azatian@gmail.com)
+instead.
 
-Include what you can: vulnerability type, where it occurs, reproduction steps, PoC if you have one. You'll get an acknowledgment within 48 hours. If confirmed, we'll patch it and credit you in the disclosure (unless you prefer to stay anonymous).
+Include what you can: vulnerability type, where it occurs, reproduction steps, PoC if you have one. You'll get an
+acknowledgment within 48 hours. If confirmed, we'll patch it and credit you in the disclosure (unless you prefer to stay
+anonymous).
 
 ## Automated scanning
 
-The CI pipeline runs [Bandit](https://bandit.readthedocs.io/) on the Python backend for static analysis, and [Dependabot](https://docs.github.com/en/code-security/dependabot) keeps dependencies patched across Python, npm, and Docker. For SBOM generation and vulnerability scanning, see [Supply Chain Security](security/supply-chain.md).
+The CI pipeline runs [Bandit](https://bandit.readthedocs.io/) on the Python backend for static analysis,
+and [Dependabot](https://docs.github.com/en/code-security/dependabot) keeps dependencies patched across Python, npm, and
+Docker. For SBOM generation and vulnerability scanning, see [Supply Chain Security](security/supply-chain.md).
+
+## Frontend hardening
+
+The frontend uses a nonce-based Content Security Policy:
+
+- **`script-src 'nonce-...'`** — blocks injected `<script>` tags (XSS). Nonce is per-request, generated by nginx.
+- **`style-src-elem 'nonce-...'`** — blocks injected `<style>` tags.
+- **`style-src-attr 'unsafe-inline'`** — allows `style=""` attributes (required by Svelte transitions and CodeMirror).
+
+Nonce injection is handled by nginx's `sub_filter` directive.
+See [Nginx Configuration](operations/nginx-configuration.md#nonce-injection) for the full mechanism.
 
 ## Runtime hardening
 
-Executor pods run user code with non-root users, read-only filesystems, dropped capabilities, and no service account tokens. Network policies deny all traffic by default. Details in [Network Isolation](security/policies.md).
+Executor pods run user code with non-root users, read-only filesystems, dropped capabilities, user namespace isolation (
+`host_users: false`), and no service account tokens. An optional sandboxed runtime (e.g., gVisor) can be configured via
+`K8S_POD_RUNTIME_CLASS_NAME`.
+
+At the namespace level, the k8s_worker automatically applies:
+
+- **NetworkPolicy** — default-deny ingress + egress for executor pods (blocks lateral movement and exfiltration)
+- **ResourceQuota** — caps aggregate pod, CPU, and memory consumption
+- **Pod Security Admission** — `restricted` profile enforced via namespace labels
+
+Details in [Pod & Namespace Security](security/policies.md).
+
+## Authentication
+
+Password hashing uses `pwdlib` with `BcryptHasher` (configurable rounds). Authentication is cookie-based JWT with CSRF
+protection via the double-submit pattern. See [Authentication](architecture/authentication.md).
+
+## Infrastructure
+
+- Redis is password-protected (`--requirepass`)
+- MongoDB uses authentication (`authSource=admin`)
+- All database ports bound to `127.0.0.1` (not exposed to host network)
+- Docker image versions are pinned to specific patches
+- TLS everywhere (self-signed for development, generated by `cert-generator` container)
 
-Secrets stay out of the repo - `.env` files and credentials are your responsibility to manage in deployment.
+Secrets stay out of the repo — `.env` files and credentials are your responsibility to manage in deployment.