Security

Documentation Map

• Overview

• Quick Start

• Installation

• Configuration

• Operations

• Troubleshooting

• Release Notes

• Compatibility

• Architecture

• API Reference

• Security

• Integrations

• Capabilities

• Data Model

• Roadmap

• Channel: stable

• Source repo: solarisara/jhf-spool

Security

Version: 2026-04-01

Auth Model

• scoped API keys for machine/API consumers
• signed cookie sessions for the web UI
• Paddle webhook signature validation for billing callbacks

OAuth Decision Boundary

OAuth is required when:

• external users interact directly with the product
• a true multi-tenant end-user identity model is needed
• access originates from outside the trusted platform network with user-context delegation

OAuth is not required when:

• communication is internal service-to-service
• Fabric or n8n would act in a machine-controlled integration role
• there is no end-user context and scoped API keys are sufficient

Access Control

Protected surfaces include:

• ingest
• search with tenant-scoped data
• support and billing writes
• admin and governance routes

Protected Endpoint Groups

• ingest and job-creation routes
• search and article retrieval under tenant scoping
• account, API-key, billing, invoice, and support mutation routes
• admin/operator governance and readiness routes
• webhook ingress for commercial synchronization

Auth by Integration Class

• public read-only surfaces:
  • health
  • readiness
  • info
  • docs
  • external API contract
  • public release notices
• scoped API-key surfaces:
  • ingest
  • search
  • snapshots
  • exports
  • research runs
  • account-level reads and writes
• session-authenticated surfaces:
  • /app/... web UI flows
• provider-authenticated callback surface:
  • /v1/webhooks/paddle

Sensitive Data Types

• account and API-key metadata
• billing and support records
• invoice references
• runtime credentials and signing secrets

Secrets Model

The maintained path prefers file-backed secret ingestion where supported:

• web signing secret
• SMTP password
• Paddle API key
• Paddle webhook secret
• optional NewsAPI key

Inputs That Must Never Be Open

• admin-only routes without auth
• billing settlement without explicit authorization
• account mutation without tenant/admin authorization
• future Fabric-triggered write paths without explicit auth design

Threats From Misconfiguration

• exposing internal/operator routes as if they were public contract
• accepting unauthenticated billing or support mutations
• using weak or missing session-signing secrets
• allowing workflow tools to use over-broad API keys
• trusting legacy webhook routes as if they were maintained secure surfaces

Read-Only Surfaces That Should Stay Read-Only

• health/readiness/info
• docs/OpenAPI
• external API contract
• release notice reads
• future Fabric discovery metadata

Actions That Must Never Be Triggered Externally Without Explicit Control

• invoice settlement
• account deactivation
• API-key privilege escalation
• support-case state mutation by unauthenticated callers
• deployment or rollout changes
• Fabric-driven write or control actions

Manual-Only Actions

• release and deployment decisions
• billing-provider activation
• destructive account/support/invoice actions
• future Fabric-controlled write/control behavior

---

License: AGPLv3
Learn more: https://helpifyr.com