Security

Built to support
TPN-compliant workflows.

Centrik is self-hosted by design. The controls below describe what we provide; your facility's physical security, network controls, and organisational policies remain under your control — as TPN expects.

Centrik is TPN-aligned — its technical controls follow the MPA Content Security Best Practices (CSBP). It is not yet TPN-certified; a formal Gold Shield assessment is a roadmap item, not a current claim. See roadmap.

Authentication & Access Control

MPA CSBP: DS-10, DS-12

Password hashing
bcrypt with cost factor 12; legacy hashes upgrade lazily on next successful login.
Password complexity
12-character minimum, mixed case, digit, special character — enforced server-side on every password-setting endpoint.
Mandatory rotation
90-day expiration on local accounts. Login is blocked until the user sets a new password.
Multi-factor authentication
TOTP (Google Authenticator, Authy, etc.) with 10 single-use backup codes. Mandatory for external users; optional for internal staff.
Account lockout
Five failed login attempts trigger a 15-minute lockout. Admin unlock available.
Rate limiting
Auth endpoints: 10 attempts per 15 minutes per IP+email. Password reset: 3 per hour per email. API: 100 req/min.
Role-based access control
Eight-tier hierarchy (admin → producer → supervisor → lead → senior_artist → artist → junior_artist → client) enforced on every protected route.
Account provisioning
Self-registration disabled. Access-request workflow with admin or supervisor approval required.
Session management
30-minute inactivity timeout, single-session enforcement (optional), JWT tokens with configurable expiry (default 24h).

Audit Logging

MPA CSBP: DS-11

Authentication events
Login success/failure, logouts, lockouts, password changes, 2FA setup/disable.
Content access events
Proxy access, media streaming, thumbnail access — all logged with user, IP, timestamp.
Administrative actions
Password resets, role changes, account creation/deletion. Critical actions flagged.
Retention policy
Two-stage retention: 90 days hot in PostgreSQL (queryable, fast), then 365 days archived to JSON files on disk (slow-recall), then purged. Both windows are operator-extendable via env vars (TPN minimum 90 days hot is enforced).
Automated cleanup
Daily cleanup job at 03:00 UTC archives expired DB rows to JSON and purges archive files past retention. The cleanup itself is audit-logged.
Active alerting
Email notifications to administrators on critical events — account lockouts, admin password resets, recovery-admin endpoint use — with in-memory throttling to prevent alert fatigue.

Encryption

MPA CSBP: DS-13, DS-14

Secrets at rest
AES-256-GCM with unique IV per value for sensitive system settings (SMTP credentials, integration tokens). Encryption key separable from auth signing key.
Database at rest
Delegated to the deployment infrastructure (LUKS, FileVault, AWS EBS encryption, etc.) — appropriate for self-hosted model.
In transit
HSTS (1-year max-age, includeSubDomains, preload) in production. Optional TLS for internal Postgres and Redis connections.
Content access
Signed, time-limited tokens for external reviewer media access. No direct file paths exposed.

Application Security

MPA CSBP: DS-18

HTTP security headers
Helmet.js: HSTS, frameguard (deny), noSniff, XSS filter, strict referrer policy, Content Security Policy in production.
CORS
Strict allowlist; unknown origins are rejected (fail-closed).
SQL injection prevention
Sequelize ORM with parameterized queries throughout. No raw SQL on auth or user-facing paths.
XSS prevention
React default escaping; no use of dangerouslySetInnerHTML in user-facing components.
CSRF
Stateless JWT in Authorization header (not cookies), eliminating the traditional CSRF surface.

Content Protection

MPA CSBP: DS-20

Visible watermarking
Configurable text overlay (position, opacity, font size) applied at delivery time. Supports timestamp and username burn-in.
External reviewer scoping
Magic-link review for clients and outside collaborators is email-verified, time-limited, and scoped to specific review rooms — never the broader project.
Default secrecy
Open self-registration disabled by default. New users require admin or supervisor approval before any content access.

Patch & Vulnerability Management

MPA CSBP: DS-9, DS-17

Dependency auditing
Automated npm audit checks every 60 seconds; CRITICAL and HIGH severity findings alert to log.
File integrity monitoring
SHA-256 baselining of critical files (auth middleware, server entry, package-lock). Drift detection logs.
Suspicious code pattern scanning
Continuous scan for eval, child_process.exec with user input, hardcoded credentials, and SQL injection patterns.

Deployment & Network

MPA CSBP: —

Self-hosted model
Customer controls their own infrastructure, network segmentation, and physical security — appropriate for TPN-aligned facilities.
Reverse-proxy friendly
No hardcoded localhost assumptions. Deploys cleanly behind nginx, Caddy, or any TLS-terminating reverse proxy.
VPN / air-gap compatible
Pure HTTP/HTTPS; no outbound dependencies for core review and tracking flows. Suitable for closed-network facility deployments.

Reporting a vulnerability

If you believe you've found a security issue in Centrik, please report it privately before public disclosure. We aim to acknowledge reports within two business days.

Email: drew@tradecraftvfx.com

Machine-readable contact details follow RFC 9116: /.well-known/security.txt

Roadmap

Honesty on what isn't done yet:

Forensic watermarking
Per-viewer, recoverable-from-screen-capture watermarks. Visible watermarking is implemented today; forensic is planned for studio-tier deployments.
Formal TPN Gold Shield assessment
Centrik's controls are TPN-aligned today. A formal third-party assessment is on the roadmap when a customer requires it.
Multi-channel alert routing
Email alerting is implemented today. Additional channels (generic outbound webhook, Slack, PagerDuty) are planned for ops teams that want non-email routing.
Independent penetration test
A formal third-party penetration test is planned ahead of the first studio-tier deployment.