Appearance
Skip to content 42-Item Security Audit.
Warrior AI — Security Documentation
42-Item Security Audit.
Three Specialist Reports.
Full security analysis of the Vultr VPS / Hono Gateway / Dify CE 1.13.0 / Firebase stack. Three specialist reports covering LLM & Prompt Injection, Network & Infrastructure, and Data & Authentication. 42 Anna's Gate checklist items. Two ADRs proposed.
✓ WARAI-71 CORS Fixed✓ WARAI-72 Rate Limiting Live9 HIGH findings openADR-W026 ProposedADR-W027 Proposed
3Specialist Reports
42Anna's Gate Items
2Critical Findings
9High Findings Open
9JIRA Tickets (WARAI-74–82)
2/2Pre-Launch Gaps Resolved
Three Specialist Reports
A
LLM & Prompt Injection
Prompt injection attack paths at Gateway, agent nodes, and Variable Assigner. RAG poisoning via Qdrant write access. Cross-tenant write risk via LLM-influenced user_id. 15 checklist items (A-01 – A-15).
Injection blocklistIdentity anchorsCode Node gatesRAG poisoningCross-tenant write
15 checklist items: A-01 – A-15
B
Network & Infrastructure
WARAI-69 resolution: nginx reverse proxy + 127.0.0.1 binding (Option C recommended). Qdrant API key implementation. Docker network segmentation from flat network to 5 named trust tiers. SSRF/Bridge reachability analysis. 12 checklist items (B-01 – B-12).
nginx reverse proxyQdrant API keyDocker segmentationSSRF blocklistCloudflare Tunnel
12 checklist items: B-01 – B-12
C
Data & Authentication
Firebase Admin SDK bypass risk model. user_id trust chain integrity gap (Gateway → Dify → Bridge). JWT attack surface (5 scenarios). Firebase service account secret management. PII classification: Power Stacks / Door Cards / Bible Stacks = GDPR Article 9 special category data. 15 checklist items (C-01 – C-15).
Admin SDK bypassHMAC signingJWT attack pathsGDPR Article 9Secret rotation
15 checklist items: C-01 – C-15
Critical Findings Summary
10 findings from the three-report audit. Two resolved at launch. Eight require implementation before production go-live.
| ID | Finding | Severity | Section | JIRA |
|---|---|---|---|---|
F-01 | Bridge trusts user_id from Dify LLM output without re-verification | CRITICAL | C.1, C.2 | WARAI-74 |
F-02 | Gateway binds 0.0.0.0:3000 — firewall-only defence | HIGH | B.1 | WARAI-69 |
F-03 | Qdrant has no API key — any container can read/write vector corpus | HIGH | B.2 | WARAI-76 |
F-04 | verifyIdToken() missing checkRevoked: true — 1h replay window | HIGH | C.7 | WARAI-75 |
F-05 | Docker network is flat — sandbox can reach database | HIGH | B.3 | WARAI-77 |
F-06 | Injection pattern blocklist absent at Gateway | HIGH | A.1 | WARAI-78 |
F-07 | No identity anchor in agent system prompts | HIGH | A.6 | WARAI-79 |
F-08 | .env file permissions unverified — may be 644 | HIGH | C.4 | WARAI-80 |
F-09 | SSRF proxy blocklist may not cover Docker bridge gateway IP | CRITICAL | B.4 | WARAI-81 |
F-10 | Stack content (Power Stacks, Door Cards) unencrypted at rest | HIGH | C.6 | WARAI-82 [ESCALATE] |
Architectural Decision Records
ADR-W026
HMAC-SHA256 Signed user_id Envelope
Restores cryptographic provenance through the Gateway→Dify→Bridge trust chain. The Gateway mints a short-lived HMAC-signed token containing the verified user_id. The Bridge verifies the HMAC before trusting any user_id from Dify conversation variables — preventing both direct Bridge exploitation and prompt injection-driven user_id substitution.
ADR-W027
Docker Network Segmentation by Trust Tier
Replaces the current flat Docker network with 5 named trust tiers. The dify-sandbox container (untrusted AI execution) is isolated from dify-db and dify-redis. The Bridge is isolated from Dify/LLM containers. Gateway and Bridge communicate only on a dedicated gateway-network. Plugin daemon is fully isolated on plugin-isolated.
JIRA Tickets — WARAI-74 through WARAI-82
| Ticket | Summary | Severity |
|---|---|---|
| WARAI-74 | HMAC user_id signing (ADR-W026) | HIGH |
| WARAI-75 | checkRevoked: true on verifyIdToken | HIGH |
| WARAI-76 | Qdrant API key | HIGH |
| WARAI-77 | Docker network segmentation (ADR-W027) | HIGH |
| WARAI-78 | Injection pattern blocklist at Gateway | HIGH |
| WARAI-79 | Identity anchor in all agent system prompts | HIGH |
| WARAI-80 | .env permissions 600 + git history scan | HIGH |
| WARAI-81 | Firestore Security Rules audit | HIGH |
| WARAI-82 | Code Node pre-write validation gate | HIGH |
Anna's Gate — Master Security Checklist (42 Items)
All S-01–S-20 must be GREEN before production launch. Full per-section checklists (A-01–A-15, B-01–B-12, C-01–C-15) are in the three source reports.
Section A — LLM & Prompt Injection (Key Items)
A-01Injection pattern blocklist active at Gateway before Dify handoff
A-06Identity anchor + security boundary present in all 7 agent system prompts
A-09Pre-write Code Node validation gate implemented in Dify
A-12Qdrant collection write access restricted (API key + network isolation)
Section B — Network & Infrastructure (Key Items)
B-01warrior-hono-gateway binds to 127.0.0.1:3000 — not 0.0.0.0:3000
B-02Qdrant API key set and enforced
B-03dify-sandbox in bridge mode, not host mode
B-04dify-sandbox cannot reach dify-db or dify-redis
B-07SSH restricted — not open to 0.0.0.0/0
Section C — Data & Authentication (Key Items)
C-01.env file permissions 600
C-03Gateway uses verifyIdToken(token, checkRevoked: true)
C-04Bridge write path uses HMAC-signed user token — not bare Dify variable
C-06Firestore Security Rules enforce request.auth.uid == userId
C-07Bridge container isolated from Dify/LLM containers
Reassessment Triggers
Re-run security analysis upon any of the following events:
Bridge HMAC signing implementation (ADR-W026)
Redis migration (replace in-memory rate limiting)
Any Dify CE version upgrade
Addition of OMI backend sidecar
Plugin Marketplace enablement
Any change to Firebase IAM roles or service accounts