Security Notes

Webhook Endpoints (kai-tools nginx)

Two endpoints bypass basic auth and need app-level verification.

Nginx config has auth_basic off on this path
The app MUST validate the X-Hub-Signature-256 header using HMAC-SHA256 with your webhook secret
Verify: check that the deploy handler rejects requests with missing/invalid signatures
Consider also IP-whitelisting GitHub webhook IPs (see https://api.github.com/meta, hooks key)

Nginx proxies to port 3033 with no auth
The app MUST validate Twilio request signatures using the X-Twilio-Signature header and your auth token
Twilio Node SDK provides validateRequest() / webhook() middleware for this
Without validation, anyone can send fake call/SMS events to this endpoint

Once the domain is purchased and DNS A records point to 77.42.83.205:

sudo certbot --nginx -d kaivalo.com -d www.kaivalo.com -d mechai.kaivalo.com

Name		Name	Last commit message	Last commit date
Latest commit History 66 Commits
apps		apps
infrastructure/nginx		infrastructure/nginx
packages		packages
tests		tests
.gitignore		.gitignore
PLAN.md		PLAN.md
PLATFORM-IDEAS.md		PLATFORM-IDEAS.md
PRD.md		PRD.md
SECURITY.md		SECURITY.md
chimney-saas-scope.md		chimney-saas-scope.md
package-lock.json		package-lock.json
package.json		package.json
pnpm-workspace.yaml		pnpm-workspace.yaml