Skip to main content

Security Overview

O.D.I.N. is built for print farms that operate under real compliance constraints — ITAR-regulated defense shops, CMMC L2 contractors, aerospace subs, and any environment where data cannot leave the network.

This page is a hub. Each control below has its own dedicated page; this is the map.

Air-Gap / Network Egress

  • ITAR / CMMC Mode — set ODIN_ITAR_MODE=1 and the container fail-closes on any public-resolving outbound destination. Boot audit + per-connect runtime guards on HTTP, SMTP, and MQTT. Hard-disables APNs and Web Push. DNS-pinned sockets to defeat split-horizon and resolver drift.
  • No telemetry by default. O.D.I.N. does not call home. There is no analytics endpoint, no crash reporter, no usage beacon. Feature-flagged backend telemetry (e.g. ODIN_TELEMETRY_V2) is opt-in and additionally fail-closed under ITAR mode.

Identity & Access

  • Users & RBAC — Admin / Operator / Viewer roles enforced on every API endpoint, not just the UI. Optional org-scoping for multi-tenant deployments.
  • MFA — TOTP-based two-factor for any user account. Admin force-enable, backup codes, lockout recovery. MFA tokens are single-use and blacklisted on consumption.
  • Sessions — JWT with server-side jti tracking, httpOnly + Secure + SameSite=Strict cookies. View and revoke active sessions individually or in bulk. WebSocket tokens are scoped separately so a stolen WS token cannot replay against the REST API.
  • OIDC / SSO — wire an internal IdP (ADFS, Authentik, Keycloak). Public OIDC providers refuse to boot under ITAR.

API Authentication

  • API Tokens — scoped, prefixed (odin_…), per-route granular scopes, configurable expiry, rotatable. Recommended for automation, agents, and CI. Separate from user sessions and from the system API key.

Licensing & Compliance Boundary

  • License — Ed25519-signed license payload, verified locally against an embedded public key. No license server, no phone-home, no periodic revalidation. Air-gap compatible by design.
  • Audit log. Every API call (including agent tool calls) is written to the audit_log table with actor, IP, action, and timestamp. Export to a SIEM via /admin/audit or the Postgres replica. See CMMC L2 considerations for the full SIEM/scope/rotation playbook.

Transport Security

  • HTTPS via reverse proxy. O.D.I.N. is intended to sit behind a TLS-terminating reverse proxy (nginx, Caddy, NPM, Traefik, Cloudflare Tunnel). Cookies are flagged Secure and SameSite=Strict; the app does not ship its own TLS termination.
  • HTTP security headers are set on the marketing/docs surface (X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin); operators terminating their own TLS should mirror these on the application reverse proxy.

Recommended ITAR / CMMC Baseline

A clean compliance-grade deployment looks like:

  1. ODIN_ITAR_MODE=1 set in the compose file.
  2. Internal SMTP relay, internal OIDC IdP, internal-only webhooks.
  3. TOTP MFA force-enabled for every human account.
  4. Scoped API tokens for every automation; no shared system API key in agents.
  5. Reverse proxy terminating TLS in front of O.D.I.N., with HSTS.
  6. Audit log shipped to a SIEM or Postgres replica on a private VLAN.
  7. Air-gapped license file delivered out-of-band.

Each line above is a link in the table on this page.

See Also