- Configure
BACKEND_SENTRY_DSNto capture backend exceptions. - Configure
VITE_SENTRY_DSNto capture frontend runtime failures. - Review
nexus.auditlog entries formedia.create,media.suggest, and chat activity. - Use
GET /healthzfor uptime and readiness checks.
- Access tokens live in
HttpOnlycookies and are rotated through/auth/refresh. - The suggestion endpoint is rate-limited per user and can use Redis for multi-instance enforcement.
- Authentication rate limiting only trusts
X-Forwarded-Forfrom explicitly configured proxy IPs. - LLM-bound library context is scrubbed, masked, and wrapped in strict XML delimiters.
- Chat history sent to Gemini is reduced to a recent window, scrubbed for prompt-injection markers, and PII-masked.
takeawaywrites requireTAKEAWAY_ENCRYPTION_KEYso sensitive notes are not persisted in plaintext.- Chat content is encrypted at rest when
TAKEAWAY_ENCRYPTION_KEYis configured. - CI runs Ruff, pytest, Bandit, pip-audit, npm audit, and gitleaks.
- Set Supabase JWT expiry to 15 minutes.
- Enable Supabase Point-in-Time Recovery (PITR).
- Configure
COOKIE_SECURE=trueandCOOKIE_DOMAINfor your production domain. - Configure
TRUSTED_PROXY_IPSso auth throttling only trusts your reverse proxy tier. - Provide a stable
TAKEAWAY_ENCRYPTION_KEY. - Provide a non-default
AUDIT_LOG_SALT. - Configure
REDIS_URLfor distributed rate limiting. - Apply Terraform with live provider credentials and review generated infrastructure drift.