Security posture

Research Surface Security

Evidence pack for the open research surface: implemented controls, operator-side checks and explicit non-claims. It is designed for security review without exposing secrets, tokens, hashes, IPs, user agents or request bodies.

falsesynthetic data
44trusted funds
50watchlists/key
262144max request bytes

Public Surface

read_only_open_buildauth:not registered in open mode

public endpoints are GET-oriented; Pro writes live only behind the separate Pro service

  • nosniff baseline
  • DENY frame policy
  • no-referrer baseline
  • per-response CSP with no third-party scripts

Private Surface

token_in_url:falsestorage:sessionStorage

separate /api/pro/v1 service with scoped API keys

accepted, denied and rate-limited Pro requests create audit rows without storing plaintext tokens

MCP Boundary

MCP server enforces Host/Origin validation and a bounded request body

Private tools fail closed without a valid operator-issued key

Data Quality Gate

mode:automated_fail_closedhuman_review:false

only trusted funds are eligible for scores, consensus and watchlist signals

Operator Checks

This endpoint does not read systemd, Apache configs, journal logs, backup files or secrets. Those remain operator-side checks.

CheckStatusCommand
public_smokeexternal_requiredsudo EXPECTED_SHA=$SHA /opt/13flow/deploy/smoke-public.sh
pro_workspace_smokeexternal_requiredsudo EXPECTED_SHA=$SHA PRO_TOKEN="$PRO_TOKEN" /opt/13flow/deploy/smoke-pro-workspace.sh
encrypted_backup_restoreexternal_required/opt/13flow/deploy/prepare-pro-backup-restore-check.sh and deploy/verify-pro-db-backup.sh on restore host
snapshot_timerexternal_requiredsystemctl list-timers | grep 13flow-pro-workspace-snapshot

Privacy

tokens_echoed:falsesecrets_in_payloads:false

security posture exposes controls and evidence links, never keys, hashes, IPs, user agents or request bodies

Non-Claims

  • third-party penetration test
  • SOC 2, ISO 27001 or regulated outsourcing certification
  • public self-serve account flow
  • managed-service SLA
  • validated alpha or investment advice
  • complete coverage of non-13F assets, shorts or intra-quarter trades

Buyer Security Questions

  • Who owns token custody and rotation on the buyer side?
  • Which scopes are needed for the pilot and which are deliberately excluded?
  • What request volume and burst profile should be configured before go-live?
  • Does the buyer require IP allow-listing, contractual DPA clauses or a custom retention policy?
  • Which evidence links must be archived before recurring access begins?

Evidence Links

Machine-readable security posture Research readiness