NexusScribe implements enterprise-grade security designed for organizations requiring on-premises data sovereignty and scalability to public deployment.
- Security Architecture
- Authentication
- Authorization
- Secrets Management
- Transport Security
- Input Validation
- Rate Limiting
- Security Headers
- WebSocket Security
- Compliance
- Deployment Security
- Reporting Vulnerabilities
┌─────────────────────────────────────────────────────────────────────┐
│ Security Layers │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ TLS 1.3 │ │ CORS │ │ CSP │ │
│ │ (nginx/ │ │ Allowlist │ │ Headers │ │
│ │ native) │ │ │ │ │ │
│ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ │
│ │ │ │ │
│ └─────────────────┼─────────────────┘ │
│ │ │
│ ┌────────▼────────┐ │
│ │ Rate Limiting │ │
│ │ (Token Bucket) │ │
│ └────────┬────────┘ │
│ │ │
│ ┌─────────────────┼─────────────────┐ │
│ │ │ │ │
│ ┌──────▼──────┐ ┌───────▼───────┐ ┌──────▼──────┐ │
│ │ JWT │ │ Origin │ │ Input │ │
│ │ Auth │ │ Validation │ │ Validation │ │
│ └──────┬──────┘ └───────┬───────┘ └──────┬──────┘ │
│ │ │ │ │
│ └─────────────────┼─────────────────┘ │
│ │ │
│ ┌────────▼────────┐ │
│ │ Authorization │ │
│ │ (RBAC/IDOR) │ │
│ └────────┬────────┘ │
│ │ │
│ ┌────────▼────────┐ │
│ │ Application │ │
│ │ Logic │ │
│ └────────┬────────┘ │
│ │ │
│ ┌────────▼────────┐ │
│ │ Aegis-DB │ │
│ │ (SQL Injection │ │
│ │ Protected) │ │
│ └─────────────────┘ │
└─────────────────────────────────────────────────────────────────────┘
NexusScribe uses JSON Web Tokens (JWT) for stateless authentication.
| Token Type | Expiration | Purpose |
|---|---|---|
| Access Token | 1 hour | API access |
| Refresh Token | 30 days | Obtain new access tokens |
| Pre-MFA Token | 5 minutes | Temporary token before MFA verification |
Token Security Features:
- HS256 signing with configurable secret (minimum 32 characters)
- Token blacklisting via SHA-256 hash storage
- Automatic refresh with rotation
- Secure token storage recommendations (HttpOnly cookies)
- TOTP-based (Time-based One-Time Password)
- Compatible with Google Authenticator, Authy, 1Password
- Pre-MFA token flow: Login returns a temporary token that cannot access protected resources until MFA is verified
- Backup codes for account recovery
| Requirement | Value |
|---|---|
| Minimum length | 12 characters |
| Uppercase required | Yes |
| Lowercase required | Yes |
| Digit required | Yes |
| Special character required | Yes |
| Hashing algorithm | Argon2id |
- Threshold: 5 failed login attempts
- Initial lockout: 15 minutes
- Escalation: Doubles with each subsequent lockout (30m, 1h, 2h...)
- Maximum lockout: 24 hours
- Reset: Successful login resets attempt counter
| Role | Permissions |
|---|---|
| Admin | Full access to all resources, user management |
| Editor | Create/edit meetings, full transcript access |
| Viewer | Read-only access to assigned meetings |
| Guest | Limited access to specific shared resources |
All resource endpoints verify user authorization:
// Every meeting endpoint checks access
check_meeting_access(&state, meeting_id, &auth_user, MeetingAccessLevel::Read).await?;Access levels:
Read- View meeting and transcriptWrite- Edit transcript, add commentsAdmin- Delete meeting, manage participants
# Secrets via environment variables
export NEXUS_SCRIBE_SECRET_JWT_SECRET="your-64-char-random-secret"
export NEXUS_SCRIBE_SECRET_DB_PASSWORD="your-db-password"
export NEXUS_SCRIBE_SECRET_LIVEKIT_API_SECRET="your-livekit-secret"NexusScribe integrates with HashiCorp Vault for enterprise secrets management.
Build with Vault support:
cargo build --release --features vaultConfigure Vault:
# config.toml
[vault]
enabled = true
address = "https://vault.your-domain.com:8200"
mount = "secret"
path = "nexusscribe"
cache_ttl_secs = 300Store secrets in Vault:
# Using Vault CLI
vault kv put secret/nexusscribe/jwt_secret value="$(openssl rand -base64 48)"
vault kv put secret/nexusscribe/db_password value="your-secure-password"
vault kv put secret/nexusscribe/livekit_api_secret value="your-livekit-secret"
vault kv put secret/nexusscribe/encryption_key value="$(openssl rand -base64 32)"Vault authentication methods:
- Token (development)
- AppRole (recommended for production)
- Kubernetes (for K8s deployments)
On startup, NexusScribe validates all secrets:
- JWT secret must be at least 32 characters
- No default/insecure patterns allowed (
changeme,password,secret, etc.) - Production mode: Startup fails if secrets are insecure
- Development mode: Warning logged, startup continues
Option 1: nginx reverse proxy (recommended)
server {
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/your-domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
location / {
proxy_pass http://127.0.0.1:8080;
}
}Option 2: Native TLS termination
# Build with TLS support
cargo build --release --features tls
# Configure in config.toml
[server.tls]
cert_path = "/etc/letsencrypt/live/your-domain/fullchain.pem"
key_path = "/etc/letsencrypt/live/your-domain/privkey.pem"When https_only is enabled:
Strict-Transport-Security: max-age=31536000; includeSubDomains
All database queries use parameterized queries via the sql_escape module:
// Safe - uses escape functions
let sql = format!(
"SELECT * FROM users WHERE email = {}",
escape_string(email)
);
// All escape functions:
// - escape_string() - Strings with quote escaping
// - escape_uuid() - UUID validation
// - escape_timestamp() - DateTime formatting
// - escape_bool() - Boolean literals
// - escape_i64() / escape_usize() - Numeric validationFile operations validate paths:
// Recording IDs must be alphanumeric
fn validate_recording_id(id: &str) -> Result<(), Error> {
if !id.chars().all(|c| c.is_alphanumeric() || c == '-' || c == '_') {
return Err(Error::InvalidInput("Invalid recording ID"));
}
Ok(())
}
// Paths are canonicalized and checked
fn validate_path_within_directory(path: &Path, base: &Path) -> Result<(), Error> {
let canonical = path.canonicalize()?;
if !canonical.starts_with(base.canonicalize()?) {
return Err(Error::InvalidInput("Path traversal detected"));
}
Ok(())
}| Check | Value |
|---|---|
| Maximum file size | 500 MB |
| Magic bytes verification | WAV, MP3, FLAC, OGG, WebM |
| Content-Type validation | Must match detected format |
| Empty file rejection | Yes |
Token bucket algorithm with per-IP tracking:
| Endpoint Category | Limit | Window |
|---|---|---|
Authentication (/api/v1/auth/*) |
5 requests | 60 seconds |
MFA (/api/v1/mfa/*) |
5 requests | 60 seconds |
| API (all other endpoints) | 100 requests | 60 seconds |
| WebSocket connections | 10 connections | 60 seconds |
Response headers:
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1706285400
When exceeded:
HTTP/1.1 429 Too Many Requests
Retry-After: 45
All responses include security headers:
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' wss:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(self), camera=()
All WebSocket connections require JWT authentication:
ws://host/ws/transcription/{meeting_id}?token={jwt_token}
const ALLOWED_ORIGINS: &[&str] = &[
"http://localhost:3000",
"https://nexusscribe.lagrangecounty.org",
];| Limit | Value |
|---|---|
| Max text message | 64 KB |
| Max binary message | 10 MB |
| Text messages/second | 100 |
| Binary messages/second | 50 |
| Connection timeout | 8 hours |
| Ping interval | 30 seconds |
| Pong timeout | 10 seconds |
Meeting bots use API key authentication:
ws://host/ws/audio/{meeting_id}?bot_id={id}&api_key={key}
API keys are computed as: hex(SHA256(secret + ":" + bot_id))
NexusScribe includes comprehensive compliance features for regulated industries.
For organizations handling Protected Health Information (PHI):
| Requirement | Implementation |
|---|---|
| Audit Logging | All PHI access logged with user, timestamp, action, and outcome |
| Access Controls | Role-based access with minimum necessary principle |
| Encryption at Rest | AES-256-GCM encryption for sensitive fields |
| Encryption in Transit | TLS 1.3 required for all connections |
| Audit Trail Retention | 6-year retention of all audit logs |
| BAA Tracking | Business Associate Agreement management |
| Breach Detection | Automated monitoring for unauthorized access patterns |
Enable HIPAA mode:
[compliance.hipaa]
enabled = true
audit_retention_years = 6
require_encryption = trueSecurity, Availability, Processing Integrity, Confidentiality, and Privacy:
| Control | Implementation |
|---|---|
| CC6.1 - Logical Access | RBAC, MFA enforcement, session management |
| CC6.2 - Authentication | Argon2id passwords, TOTP MFA, account lockout |
| CC6.3 - Access Reviews | Periodic access certification workflows |
| CC7.1 - System Monitoring | Security event logging, anomaly detection |
| CC7.2 - Incident Response | Incident tracking with severity classification |
| CC7.3 - Change Management | Audit trail for all system changes |
| CC8.1 - Vendor Management | Third-party risk assessment tracking |
SOC 2 Dashboard:
- Security events timeline
- Access review management
- Incident tracking with MTTR metrics
- Vendor risk assessments
- Compliance report generation
For organizations processing EU personal data:
| Data Subject Right | Implementation |
|---|---|
| Right to Access | Self-service data export via /api/v1/privacy/export |
| Right to Portability | Machine-readable JSON export |
| Right to Erasure | Automated deletion workflow with confirmation |
| Right to Rectification | Self-service profile editing |
| Right to Restriction | Processing pause capability |
Consent Management:
{
"marketing": {"granted": false, "timestamp": "2024-01-15T10:00:00Z"},
"analytics": {"granted": true, "timestamp": "2024-01-15T10:00:00Z"},
"transcription_storage": {"granted": true, "timestamp": "2024-01-15T10:00:00Z"}
}Data Processing:
- Lawful basis tracking per processing activity
- Data Processing Agreement (DPA) management
- Processing activities register
- Cookie consent banner with granular controls
For California consumers:
| Right | Implementation |
|---|---|
| Right to Know | Data inventory and disclosure |
| Right to Delete | Deletion request workflow |
| Right to Opt-Out | "Do Not Sell My Personal Information" flag |
| Right to Non-Discrimination | Equal service regardless of privacy choices |
CCPA API:
# Set Do Not Sell flag
curl -X PUT http://localhost:8080/api/v1/privacy/ccpa \
-H "Authorization: Bearer <token>" \
-d '{"do_not_sell": true, "ca_resident": true}'For educational institutions:
| Requirement | Implementation |
|---|---|
| Education Records | Separate storage with enhanced access controls |
| Directory Information | Opt-out capability for students |
| Consent Tracking | Parental/eligible student consent management |
| Access Logging | Record of all education record access |
| Legitimate Interest | Purpose validation for each access |
Configurable retention policies:
[compliance.retention]
transcripts_days = 2555 # 7 years
audit_logs_days = 2190 # 6 years (HIPAA minimum)
user_data_after_deletion = 30 # Days after account deletion
recordings_days = 90 # Audio/video files
temp_files_hours = 24 # Processing temporary filesAutomatic Deletion:
- Scheduled job runs daily to purge expired data
- Soft delete with grace period before permanent removal
- Deletion certificates generated for compliance proof
Generate reports for auditors:
# HIPAA audit report
curl http://localhost:8080/api/v1/compliance/report/hipaa \
-H "Authorization: Bearer <admin_token>"
# SOC 2 evidence package
curl http://localhost:8080/api/v1/compliance/report/soc2 \
-H "Authorization: Bearer <admin_token>"
# GDPR Article 30 register
curl http://localhost:8080/api/v1/compliance/report/gdpr \
-H "Authorization: Bearer <admin_token>"Core Security:
- Set
NEXUS_SCRIBE_ENV=production - Generate cryptographically random JWT secret (48+ chars)
- Enable TLS (nginx or native)
- Configure CORS allowlist with specific origins
- Enable HashiCorp Vault for secrets (for public scaling)
- Set up log rotation and monitoring
- Configure firewall (allow only 443, block 8080)
- Enable database authentication
- Set up automated backups
- Review and restrict file permissions
Compliance (if applicable):
- Enable HIPAA mode if handling PHI
- Configure audit log retention (6 years for HIPAA)
- Enable field-level encryption for sensitive data
- Set up data retention policies
- Configure cookie consent banner (GDPR)
- Enable CCPA Do Not Sell tracking
- Review and sign BAAs with vendors
- Document data processing activities (GDPR Article 30)
# JWT Secret (48 bytes, base64 encoded)
openssl rand -base64 48
# Database password
openssl rand -base64 32
# Encryption key
openssl rand -base64 32Never commit secrets to version control. Use:
.envfile (local development only, in.gitignore)- Environment variables (systemd, Docker)
- HashiCorp Vault (production)
If you discover a security vulnerability, please report it responsibly:
- Do not open a public GitHub issue
- Email: security@automatanexus.com
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We aim to respond within 48 hours and will work with you to understand and address the issue.
| Date | Auditor | Scope | Findings |
|---|---|---|---|
| 2026-01 | Internal | Full codebase | 14 Critical, 25 High, 28 Medium, 15 Low - All fixed |
| Flag | Description |
|---|---|
--features vault |
Enable HashiCorp Vault integration |
--features tls |
Enable native TLS termination |
--features hailo |
Enable Hailo NPU (requires hardware) |
--features saml |
Enable SSO/SAML authentication |
--features compliance |
Enable full compliance suite (HIPAA, SOC 2, GDPR, CCPA, FERPA) |
Build with multiple features:
cargo build --release --features "vault,tls,saml,compliance"