Security
Authentication
Three-Tier Token Model
| Token Type | Who Uses It | What It Accesses |
|---|---|---|
| Agent Token | AI agents | MCP tools scoped to their agent ID |
| Orchestrator Token | Admins | Admin endpoints, billing, provider config |
| Demo Mode | Development | Everything (auth bypassed) |
Agent Tokens
Every MCP tool call requires a security token bound to an agent ID.
- Generated during provisioning (
comms_provision_channels) - Stored as SHA-256 hashes in the
agent_tokenstable - Passed via SSE:
/sse?token= - Impersonation guard: token is bound to a specific agentId
Orchestrator Token
ORCHESTRATOR_SECURITY_TOKEN=your-secret-hereRequired for admin operations. Passed as: Authorization: Bearer
Demo Mode
When DEMO_MODE=true, all authentication is bypassed. Never use in production.
Webhook Signature Verification
Twilio
- Validates
X-Twilio-Signatureusing HMAC-SHA1 - Replay prevention: in-memory nonce cache, 5-minute TTL
Resend
- Validates Svix signature headers
- Rejects messages older than 5 minutes
Input Sanitization
All user inputs validated: SQL injection, XSS, CRLF injection, path traversal, command injection.
Encryption
Provider credentials encrypted with AES-256-GCM.
CREDENTIALS_ENCRYPTION_KEY=<64-char-hex-string>HTTP Security Headers
| Header | Value |
|---|---|
| X-Frame-Options | DENY |
| X-Content-Type-Options | nosniff |
| X-XSS-Protection | 1; mode=block |
| Referrer-Policy | strict-origin-when-cross-origin |
| Content-Security-Policy | Strict for API, relaxed for admin UI |
| Strict-Transport-Security | Production only |
Rate Limiting
HTTP Level
HTTP_RATE_LIMIT_PER_IP=60 # requests/min per IP
HTTP_RATE_LIMIT_GLOBAL=100 # total requests/min
MCP Tool Level
| Limit | Default |
|---|---|
| Per-minute burst | 10 actions/min |
| Per-hour sustained | 100 actions/hour |
| Per-day cap | 500 actions/day |
| Per-number frequency | 2 calls/day to same number |
| Daily spending | $10/day |
| Monthly spending | $100/month |
Brute-Force Protection
10 failed auth attempts -> 15-minute IP lockout + HIGH alert.
IP Filtering
ADMIN_IP_ALLOWLIST=10.0.0.1,10.0.0.2
IP_DENYLIST=1.2.3.4
Anomaly Detection
Runs every 60 seconds:
| Pattern | Severity |
|---|---|
| Actions > 3x previous window | MEDIUM |
| >10 failed auth per IP in 5 min | HIGH |
| >3 tokens for same agent in 1 hour | MEDIUM |
Compliance
| Regulation | Implementation |
|---|---|
| Content filtering | Blocks threats, profanity, hate speech |
| DNC list | Checked before every outbound action |
| TCPA | No calls before 8 AM or after 9 PM |
| CAN-SPAM | Warns if emails lack unsubscribe |
| GDPR | Right to erasure support |
| Recording consent | Two-party consent detection |