OmegaEngine — Decisions, enforced.

Production Security Hardening Checklist

This checklist summarizes the concrete steps required to run OmegaEngine safely in production. It combines infra, app, and operational controls.

1. Environment & Secrets

Store all secrets in a secrets manager (e.g., Vercel env, AWS SSM, GCP Secret Manager). Never commit .env to git.
Rotate DATABASE_URL, JWT secrets, and API signing secrets before launch.
Set separate envs for dev / staging / prod with separate DBs and keys.
Enable strict .env validation so missing vars fail fast on boot.

2. Authentication & Session Security

Use HTTPS-only cookies with Secure, HttpOnly, and SameSite=Lax or Strict.
Enforce strong session expiry (e.g., 7–30 days) and idle timeouts.
Require email verification for org owners (optional but recommended).
Log out users from all sessions when email or roles change.

3. Admin & RBAC Controls

Confirm that only explicit isAdmin=true users exist in production.
Set ADMIN_IP_ALLOWLIST in production (VPN or office IPs).
Review /api/admin/* routes and confirm they all call requireSiteAdmin + isIpAllowed.
Log all admin credit adjustments and high-privilege actions via creditEvent and separate admin audit logs.

4. API & Rate Limiting

Verify enforceUserRateLimit is applied on all public, user-impacting endpoints.
Set conservative defaults (e.g., 600 req/min per user for decision API) and document them in /docs.
Add WAF / API gateway (Cloudflare, AWS WAF, etc.) for additional IP-rate throttling.
Block obvious bad patterns (e.g., huge bodies, invalid JSON) at the edge if possible.

5. Data Protection & Logging

Truncate logged inputs/outputs (already implemented) and avoid storing raw secrets or full PII.
Ensure requestLog and audit tables are scoped by userId/orgId.
Set default retention windows and document them in /docs/compliance/data-retention.
Make sure prod logs do not contain API keys or passwords (redact headers and secrets).

6. Network & Infra

Enforce HTTPS everywhere (no HTTP downgrade) using your host or CDN.
Use TLS 1.2+ (ideally 1.3) and disable insecure ciphers.
Lock down database access to your app and migration hosts only.
Enable daily automatic backups for the production database with tested restore procedures.

7. Monitoring, Health & Incident Response

Attach uptime monitors to /api/health and /api/ready.
Set up error tracking (Sentry, etc.) and alerting for 5xx spikes.
Define an incident runbook: who gets paged, where you log incidents, and how you communicate with customers.
Log security-relevant events (admin actions, policy changes, overage config changes).

8. Compliance & Data Governance

Map your use-cases against EU AI Act, CPRA, GDPR using /docs/compliance/* as references.
Document what types of data customers may send (and what is forbidden).
Provide a basic DSR (data subject request) flow for access/deletion requests.
Document retention settings and data flows in internal diagrams and external docs.

9. Customer-Facing Controls

Allow customers to configure log retention windows per org (roadmap).
Expose a UI for IP allowlists, API key rotation, and key revocation.
Provide an easy export of audit logs for compliance teams.
Publish a security contact (security@omegaengine.ai) for responsible disclosure.

This checklist is not legal advice and does not replace a full security and compliance review. It is designed to give engineering and security teams a concrete starting point to run OmegaEngine safely in production.