Security & Privacy

All data is stored in local Docker containers — ChromaDB for vector embeddings, Neo4j for the knowledge graph, and Redis for caching. Only the relevant context from your queries is sent to the LLM provider you choose. You can run Ollama for fully offline operation with zero data leaving your network.

All API keys and credentials are encrypted using the Fernet symmetric encryption scheme before storage. The master encryption key is set via the CERID_ENCRYPTION_KEY environment variable. Secrets are managed with age encryption. Environment variables are never committed to git — a comprehensive .env.example documents all available options.

When CERID_MULTI_USER is enabled, the system uses JWT-based authentication with bcrypt password hashing (cost factor 12). Access tokens are short-lived (15 minutes) with separate refresh tokens (7 days) that support revocation. Per-user API key management enables programmatic access with usage metering.

STRICT_AGENTS_ONLY=true wires a FastAPI router-level dependency that returns 403 on every /custom-agents endpoint before the request body executes — no Neo4j hit, no agent load, no runtime exposure. The flag is read at request time so operators can flip it without restarting the process. Every denial is logged at WARNING for incident-response audit. The 10 built-in specialist agents remain available. Designed for regulated deployments where end-user agent customization isn't acceptable.

MCP_CLIENT_MODE supports three modes: permissive (every configured server callable, default), allowlist (only servers in MCP_CLIENT_ALLOWLIST), and disabled (every external MCP call denied — kill switch). Every call emits a structured INFO log with tool, server, status (ok/fail/denied), and elapsed time, plus a Sentry breadcrumb. Denials happen before the wire — the policy fires at the FastAPI dependency layer. Both env vars are read per call so operators can flip without restart. The governance layer is the differentiator vs other platforms whose MCP clients have no allowlist or audit.

A sliding-window rate limiter enforces per-client quotas via the X-Client-ID header. Default limits are 20 req/min for the GUI, 80 req/min for trading agents, and 10 req/min for unknown clients. Path-specific limits protect ingestion and agent endpoints from abuse. All limits are configurable via CONSUMER_REGISTRY.

Redis requires authentication. All database ports (Neo4j 7474/7687, ChromaDB 8001, Redis 6379) are bound to 127.0.0.1 — not accessible from the network. Docker containers have memory and CPU resource limits. Nginx and optional Caddy reverse proxy add security headers (X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security).

Neo4j credentials are validated on every health check to catch misconfigurations early. The ChromaDB reset endpoint is disabled in production to prevent accidental data loss. All database queries use parameterization to prevent injection attacks. Content hashes use SHA-256 with a UNIQUE constraint for atomic deduplication.

Export your entire knowledge base as JSONL files at any time via the sync API. Import on another machine or restore from backup. Switch LLM providers freely — Cerid routes through OpenRouter supporting 20+ model providers. Run Ollama locally for zero external dependencies. All data formats are open and documented.

An optional Caddy reverse proxy provides automatic HTTPS with Let's Encrypt certificates. The startup script detects all network interfaces and configures LAN access URLs for iPad and other devices. CORS origins are restricted to configured domains. Stale IP addresses are automatically detected and corrected on startup.

The 8-job CI pipeline includes: detect-secrets scanning all tracked files, bandit static analysis for Python security issues, pip-audit for dependency vulnerabilities (including transitive), Trivy container image scanning for CRITICAL/HIGH CVEs, ruff linting with inline tier-check enforcement, and mypy type checking. All jobs must pass before the Docker image is built.