Skip to content

Commit a041703

Browse files
Skiipy11claude
Skiipy11
and
claude
committed
Update docs: add security section, update production checklist and comparison table
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 7ffc888 commit a041703

1 file changed

Lines changed: 10 additions & 1 deletion

File tree

README.md

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,13 @@ They **cannot**:
113113

114114
This is by design. Autonomous agents like OpenClaw run unattended on separate machines. If one hallucinates or goes off-script, the worst it can do is store bad data — it can't destroy good data. Compare that to systems where the agent has direct SQLite access on the same machine: one bad command and your memory is gone.
115115

116+
### Security
117+
118+
- **Timing-safe authentication** — API key comparison uses `crypto.timingSafeEqual()` to prevent timing attacks
119+
- **Rate limiting** — Failed authentication attempts are rate-limited per IP (10 failures/minute before lockout)
120+
- **Startup validation** — The API refuses to start without required environment variables configured
121+
- **Credential scrubbing** — All stored content is scrubbed for API keys, tokens, passwords, and secrets before storage
122+
116123
### Session Briefings
117124

118125
Start every session by asking "what happened since I was last here?" The briefing endpoint returns categorized updates from all other agents, excluding the requesting agent's own entries. No more context loss between sessions.
@@ -141,6 +148,7 @@ This means you get both "find memories similar to X" *and* "give me all facts wi
141148
| Memory decay / confidence scoring | **Yes** | No | No | No |
142149
| Content deduplication | **Hash-based** | LLM-based | No | No |
143150
| Credential scrubbing | **Yes** | No | No | No |
151+
| Timing-safe auth + rate limiting | **Yes** | No | No | No |
144152
| Session briefings | **Yes** | No | No | No |
145153
| Pluggable embeddings | OpenAI, Ollama | Multiple | Local ONNX | No |
146154
| Pluggable storage backends | SQLite, Postgres, Baserow | Multiple vector DBs | SQLite, Cloudflare | File |
@@ -497,10 +505,11 @@ node src/index.js
497505

498506
### Production Checklist
499507

500-
- Set a strong, unique `BRAIN_API_KEY`
508+
- Set a strong, unique `BRAIN_API_KEY` (rate limiting protects against brute force)
501509
- Run Qdrant with authentication enabled (`QDRANT_API_KEY`)
502510
- Use PostgreSQL instead of SQLite for structured storage
503511
- Place the API behind a reverse proxy (nginx/Caddy) with TLS
512+
- Bind to `127.0.0.1` (default) or a specific LAN IP — not `0.0.0.0` in production
504513
- Set `CONSOLIDATION_MODEL` to match your budget/quality needs
505514
- Monitor `/health` and `/stats` endpoints
506515

0 commit comments

Comments
 (0)