feat(security): add manifest signing, TLS TOFU, refresh token migration

- Invalidate plaintext refresh tokens (migration 019) - Add `--sign` flag to `orama build` for rootwallet manifest signing - Add `--ca-fingerprint` TOFU verification for production joins/invites - Save cluster secrets from join (RQLite auth, Olric key, IPFS peers) - Add RQLite auth config fields
2026-03-18 03:56:58 +00:00 · 2026-02-28 15:40:43 +02:00 · 2026-02-28 15:40:43 +02:00 · fd87eec476
commit fd87eec476
parent a0468461ab
49 changed files with 1242 additions and 107 deletions
--- a/migrations/019_invalidate_plaintext_refresh_tokens.sql
+++ b/migrations/019_invalidate_plaintext_refresh_tokens.sql
@ -0,0 +1,4 @@
 -- Invalidate all existing refresh tokens.
 -- Tokens were stored in plaintext; the application now stores SHA-256 hashes.
 -- Users will need to re-authenticate (tokens have 30-day expiry anyway).
 UPDATE refresh_tokens SET revoked_at = datetime('now') WHERE revoked_at IS NULL;
--- a/pkg/cli/build/archive.go
+++ b/pkg/cli/build/archive.go
@ -10,6 +10,7 @@ import (
 	"io"
 	"net/http"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
 	"time"
@ -106,6 +107,14 @@ func (b *Builder) createArchive(outputPath string, manifest *Manifest) error {
 		return err
 	}
 	// Add manifest.sig if it exists (created by --sign)
 	sigPath := filepath.Join(b.tmpDir, "manifest.sig")
 	if _, err := os.Stat(sigPath); err == nil {
 		if err := addFileToTar(tw, sigPath, "manifest.sig"); err != nil {
 			return err
 		}
 	}
 	// Print summary
 	fmt.Printf("  bin/:      %d binaries\n", len(manifest.Checksums))
 	fmt.Printf("  systemd/:  namespace templates\n")
@ -119,6 +128,46 @@ func (b *Builder) createArchive(outputPath string, manifest *Manifest) error {
 	return nil
 }
 // signManifest signs the manifest hash using rootwallet CLI.
 // Produces manifest.sig containing the hex-encoded EVM signature.
 func (b *Builder) signManifest(manifest *Manifest) error {
 	fmt.Printf("\nSigning manifest with rootwallet...\n")
 	// Serialize manifest deterministically (compact JSON, sorted keys via json.Marshal)
 	manifestData, err := json.Marshal(manifest)
 	if err != nil {
 		return fmt.Errorf("failed to marshal manifest: %w", err)
 	}
 	// Hash the manifest JSON
 	hash := sha256.Sum256(manifestData)
 	hashHex := hex.EncodeToString(hash[:])
 	// Call rw sign <hash> --chain evm
 	cmd := exec.Command("rw", "sign", hashHex, "--chain", "evm")
 	var stdout, stderr strings.Builder
 	cmd.Stdout = &stdout
 	cmd.Stderr = &stderr
 	if err := cmd.Run(); err != nil {
 		return fmt.Errorf("rw sign failed: %w\n%s", err, stderr.String())
 	}
 	signature := strings.TrimSpace(stdout.String())
 	if signature == "" {
 		return fmt.Errorf("rw sign produced empty signature")
 	}
 	// Write signature file
 	sigPath := filepath.Join(b.tmpDir, "manifest.sig")
 	if err := os.WriteFile(sigPath, []byte(signature), 0644); err != nil {
 		return fmt.Errorf("failed to write manifest.sig: %w", err)
 	}
 	fmt.Printf("  Manifest signed (SHA256: %s...)\n", hashHex[:16])
 	return nil
 }
 // addDirToTar adds all files in a directory to the tar archive under the given prefix.
 func addDirToTar(tw *tar.Writer, srcDir, prefix string) error {
 	return filepath.Walk(srcDir, func(path string, info os.FileInfo, err error) error {
--- a/pkg/cli/build/builder.go
+++ b/pkg/cli/build/builder.go
@ -117,7 +117,14 @@ func (b *Builder) Build() error {
 		return fmt.Errorf("failed to generate manifest: %w", err)
 	}
-	// Step 11: Create archive
+	// Step 11: Sign manifest (optional)
 	if b.flags.Sign {
 		if err := b.signManifest(manifest); err != nil {
 			return fmt.Errorf("failed to sign manifest: %w", err)
 		}
 	}
 	// Step 12: Create archive
 	outputPath := b.flags.Output
 	if outputPath == "" {
 		outputPath = fmt.Sprintf("/tmp/orama-%s-linux-%s.tar.gz", b.version, b.flags.Arch)
--- a/pkg/cli/build/command.go
+++ b/pkg/cli/build/command.go
@ -13,6 +13,7 @@ type Flags struct {
 	Arch    string
 	Output  string
 	Verbose bool
 	Sign    bool // Sign the archive manifest with rootwallet
 }
 // Handle is the entry point for the build command.
@ -42,6 +43,7 @@ func parseFlags(args []string) (*Flags, error) {
 	fs.StringVar(&flags.Arch, "arch", "amd64", "Target architecture (amd64, arm64)")
 	fs.StringVar(&flags.Output, "output", "", "Output archive path (default: /tmp/orama-<version>-linux-<arch>.tar.gz)")
 	fs.BoolVar(&flags.Verbose, "verbose", false, "Verbose output")
 	fs.BoolVar(&flags.Sign, "sign", false, "Sign the manifest with rootwallet (requires rw in PATH)")
 	if err := fs.Parse(args); err != nil {
 		return nil, err
--- a/pkg/cli/production/install/flags.go
+++ b/pkg/cli/production/install/flags.go
@ -29,6 +29,7 @@ type Flags struct {
 	// Security flags
 	SkipFirewall    bool   // Skip UFW firewall setup (for users who manage their own firewall)
 	CAFingerprint   string // SHA-256 fingerprint of server TLS cert for TOFU verification
 	// Anyone flags
 	AnyoneClient     bool   // Run Anyone as client-only (SOCKS5 proxy on port 9050, no relay)
@ -74,6 +75,7 @@ func ParseFlags(args []string) (*Flags, error) {
 	// Security flags
 	fs.BoolVar(&flags.SkipFirewall, "skip-firewall", false, "Skip UFW firewall setup (for users who manage their own firewall)")
 	fs.StringVar(&flags.CAFingerprint, "ca-fingerprint", "", "SHA-256 fingerprint of server TLS cert (from orama invite output)")
 	// Anyone flags
 	fs.BoolVar(&flags.AnyoneClient, "anyone-client", false, "Install Anyone as client-only (SOCKS5 proxy on port 9050, no relay)")
--- a/pkg/cli/production/install/orchestrator.go
+++ b/pkg/cli/production/install/orchestrator.go
@ -2,8 +2,12 @@ package install
 import (
 	"bufio"
 	"bytes"
 	"crypto/rand"
 	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io"
@ -366,12 +370,35 @@ func (o *Orchestrator) callJoinEndpoint(wgPubKey string) (*joinhandlers.JoinResp
 	}
 	url := strings.TrimRight(o.flags.JoinAddress, "/") + "/v1/internal/join"
 	tlsConfig := &tls.Config{}
 	if o.flags.CAFingerprint != "" {
 		// TOFU: verify the server's TLS cert fingerprint matches the one from the invite
 		expectedFP, err := hex.DecodeString(o.flags.CAFingerprint)
 		if err != nil {
 			return nil, fmt.Errorf("invalid --ca-fingerprint: must be hex-encoded SHA-256: %w", err)
 		}
 		tlsConfig.InsecureSkipVerify = true
 		tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
 			if len(rawCerts) == 0 {
 				return fmt.Errorf("server presented no TLS certificates")
 			}
 			hash := sha256.Sum256(rawCerts[0])
 			if !bytes.Equal(hash[:], expectedFP) {
 				return fmt.Errorf("TLS certificate fingerprint mismatch: expected %s, got %x (possible MITM attack)",
 					o.flags.CAFingerprint, hash[:])
 			}
 			return nil
 		}
 	} else {
 		// No fingerprint provided — fall back to insecure for backward compatibility
 		tlsConfig.InsecureSkipVerify = true
 	}
 	client := &http.Client{
 		Timeout: 30 * time.Second,
 		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{
+			TLSClientConfig: tlsConfig,
 				InsecureSkipVerify: true, // Self-signed certs during initial setup
 			},
 		},
 	}
@ -419,6 +446,40 @@ func (o *Orchestrator) saveSecretsFromJoinResponse(resp *joinhandlers.JoinRespon
 		}
 	}
 	// Write API key HMAC secret
 	if resp.APIKeyHMACSecret != "" {
 		if err := os.WriteFile(filepath.Join(secretsDir, "api-key-hmac-secret"), []byte(resp.APIKeyHMACSecret), 0600); err != nil {
 			return fmt.Errorf("failed to write api-key-hmac-secret: %w", err)
 		}
 	}
 	// Write RQLite password and generate auth JSON file
 	if resp.RQLitePassword != "" {
 		if err := os.WriteFile(filepath.Join(secretsDir, "rqlite-password"), []byte(resp.RQLitePassword), 0600); err != nil {
 			return fmt.Errorf("failed to write rqlite-password: %w", err)
 		}
 		// Also generate the auth JSON file that rqlited uses with -auth flag
 		authJSON := fmt.Sprintf(`[{"username": "orama", "password": "%s", "perms": ["all"]}]`, resp.RQLitePassword)
 		if err := os.WriteFile(filepath.Join(secretsDir, "rqlite-auth.json"), []byte(authJSON), 0600); err != nil {
 			return fmt.Errorf("failed to write rqlite-auth.json: %w", err)
 		}
 	}
 	// Write Olric encryption key
 	if resp.OlricEncryptionKey != "" {
 		if err := os.WriteFile(filepath.Join(secretsDir, "olric-encryption-key"), []byte(resp.OlricEncryptionKey), 0600); err != nil {
 			return fmt.Errorf("failed to write olric-encryption-key: %w", err)
 		}
 	}
 	// Write IPFS Cluster trusted peer IDs
 	if len(resp.IPFSClusterPeerIDs) > 0 {
 		content := strings.Join(resp.IPFSClusterPeerIDs, "\n") + "\n"
 		if err := os.WriteFile(filepath.Join(secretsDir, "ipfs-cluster-trusted-peers"), []byte(content), 0600); err != nil {
 			return fmt.Errorf("failed to write ipfs-cluster-trusted-peers: %w", err)
 		}
 	}
 	return nil
 }
--- a/pkg/cli/production/invite/command.go
+++ b/pkg/cli/production/invite/command.go
@ -3,9 +3,12 @@ package invite
 import (
 	"bytes"
 	"crypto/rand"
 	"crypto/sha256"
 	"crypto/tls"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"net"
 	"net/http"
 	"os"
 	"time"
@ -59,13 +62,43 @@ func Handle(args []string) {
 		os.Exit(1)
 	}
 	// Get TLS certificate fingerprint for TOFU verification
 	certFingerprint := getTLSCertFingerprint(domain)
 	// Print the invite command
 	fmt.Printf("\nInvite token created (expires in %s)\n\n", expiry)
 	fmt.Printf("Run this on the new node:\n\n")
 	if certFingerprint != "" {
 		fmt.Printf("  sudo orama install --join https://%s --token %s --ca-fingerprint %s --vps-ip <NEW_NODE_IP> --nameserver\n\n", domain, token, certFingerprint)
 	} else {
 		fmt.Printf("  sudo orama install --join https://%s --token %s --vps-ip <NEW_NODE_IP> --nameserver\n\n", domain, token)
 	}
 	fmt.Printf("Replace <NEW_NODE_IP> with the new node's public IP address.\n")
 }
 // getTLSCertFingerprint connects to the domain over TLS and returns the
 // SHA-256 fingerprint of the leaf certificate. Returns empty string on failure.
 func getTLSCertFingerprint(domain string) string {
 	conn, err := tls.DialWithDialer(
 		&net.Dialer{Timeout: 5 * time.Second},
 		"tcp",
 		domain+":443",
 		&tls.Config{InsecureSkipVerify: true},
 	)
 	if err != nil {
 		return ""
 	}
 	defer conn.Close()
 	certs := conn.ConnectionState().PeerCertificates
 	if len(certs) == 0 {
 		return ""
 	}
 	hash := sha256.Sum256(certs[0].Raw)
 	return hex.EncodeToString(hash[:])
 }
 // readNodeDomain reads the domain from the node config file
 func readNodeDomain() (string, error) {
 	configPath := "/opt/orama/.orama/configs/node.yaml"
--- a/pkg/config/database_config.go
+++ b/pkg/config/database_config.go
@ -22,6 +22,13 @@ type DatabaseConfig struct {
 	NodeCACert   string `yaml:"node_ca_cert"`   // Path to CA certificate (optional, uses system CA if not set)
 	NodeNoVerify bool   `yaml:"node_no_verify"` // Skip certificate verification (for testing/self-signed certs)
 	// RQLite HTTP Basic Auth credentials.
 	// When RQLiteAuthFile is set, rqlited is launched with `-auth <file>`.
 	// Username/password are embedded in all client DSNs (harmless when auth not enforced).
 	RQLiteUsername string `yaml:"rqlite_username"`
 	RQLitePassword string `yaml:"rqlite_password"`
 	RQLiteAuthFile string `yaml:"rqlite_auth_file"` // Path to RQLite auth JSON file. Empty = auth not enforced.
 	// Raft tuning (passed through to rqlited CLI flags).
 	// Higher defaults than rqlited's 1s suit WireGuard latency.
 	RaftElectionTimeout    time.Duration `yaml:"raft_election_timeout"`     // default: 5s
--- a/pkg/coredns/rqlite/backend.go
+++ b/pkg/coredns/rqlite/backend.go
@ -31,9 +31,10 @@ type Backend struct {
 	healthy     bool
 }
-// NewBackend creates a new RQLite backend
+// NewBackend creates a new RQLite backend.
-func NewBackend(dsn string, refreshRate time.Duration, logger *zap.Logger) (*Backend, error) {
+// Optional username/password enable HTTP basic auth for RQLite connections.
-	client, err := NewRQLiteClient(dsn, logger)
+func NewBackend(dsn string, refreshRate time.Duration, logger *zap.Logger, username, password string) (*Backend, error) {
 	client, err := NewRQLiteClient(dsn, logger, username, password)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create RQLite client: %w", err)
 	}
--- a/pkg/coredns/rqlite/client.go
+++ b/pkg/coredns/rqlite/client.go
@ -15,6 +15,8 @@ import (
 // RQLiteClient is a simple HTTP client for RQLite
 type RQLiteClient struct {
 	baseURL    string
 	username   string // HTTP basic auth username (empty = no auth)
 	password   string // HTTP basic auth password
 	httpClient *http.Client
 	logger     *zap.Logger
 }
@ -32,10 +34,13 @@ type QueryResult struct {
 	Error   string          `json:"error"`
 }
-// NewRQLiteClient creates a new RQLite HTTP client
+// NewRQLiteClient creates a new RQLite HTTP client.
-func NewRQLiteClient(dsn string, logger *zap.Logger) (*RQLiteClient, error) {
+// Optional username/password enable HTTP basic auth on all requests.
 func NewRQLiteClient(dsn string, logger *zap.Logger, username, password string) (*RQLiteClient, error) {
 	return &RQLiteClient{
 		baseURL:  dsn,
 		username: username,
 		password: password,
 		httpClient: &http.Client{
 			Timeout: 10 * time.Second,
 			Transport: &http.Transport{
@ -65,6 +70,9 @@ func (c *RQLiteClient) Query(ctx context.Context, query string, args ...interfac
 	}
 	req.Header.Set("Content-Type", "application/json")
 	if c.username != "" && c.password != "" {
 		req.SetBasicAuth(c.username, c.password)
 	}
 	resp, err := c.httpClient.Do(req)
 	if err != nil {
--- a/pkg/coredns/rqlite/setup.go
+++ b/pkg/coredns/rqlite/setup.go
@ -42,6 +42,8 @@ func parseConfig(c *caddy.Controller) (*RQLitePlugin, error) {
 		refreshRate    = 10 * time.Second
 		cacheTTL       = 30 * time.Second
 		cacheSize      = 10000
 		rqliteUsername string
 		rqlitePassword string
 		zones          []string
 	)
@ -90,6 +92,18 @@ func parseConfig(c *caddy.Controller) (*RQLitePlugin, error) {
 				}
 				cacheSize = size
 			case "username":
 				if !c.NextArg() {
 					return nil, c.ArgErr()
 				}
 				rqliteUsername = c.Val()
 			case "password":
 				if !c.NextArg() {
 					return nil, c.ArgErr()
 				}
 				rqlitePassword = c.Val()
 			default:
 				return nil, c.Errf("unknown property '%s'", c.Val())
 			}
@ -101,7 +115,7 @@ func parseConfig(c *caddy.Controller) (*RQLitePlugin, error) {
 	}
 	// Create backend
-	backend, err := NewBackend(dsn, refreshRate, logger)
+	backend, err := NewBackend(dsn, refreshRate, logger, rqliteUsername, rqlitePassword)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create backend: %w", err)
 	}
--- a/pkg/environments/production/config.go
+++ b/pkg/environments/production/config.go
@ -2,6 +2,7 @@ package production
 import (
 	"crypto/rand"
 	"encoding/base64"
 	"encoding/hex"
 	"fmt"
 	"net"
@ -239,8 +240,15 @@ func (cg *ConfigGenerator) GenerateGatewayConfig(peerAddresses []string, enableH
 	return templates.RenderGatewayConfig(data)
 }
-// GenerateOlricConfig generates Olric configuration
+// GenerateOlricConfig generates Olric configuration.
 // Reads the Olric encryption key from secrets if available.
 func (cg *ConfigGenerator) GenerateOlricConfig(serverBindAddr string, httpPort int, memberlistBindAddr string, memberlistPort int, memberlistEnv string, advertiseAddr string, peers []string) (string, error) {
 	// Read encryption key from secrets if available
 	encryptionKey := ""
 	if data, err := os.ReadFile(filepath.Join(cg.oramaDir, "secrets", "olric-encryption-key")); err == nil {
 		encryptionKey = strings.TrimSpace(string(data))
 	}
 	data := templates.OlricConfigData{
 		ServerBindAddr:          serverBindAddr,
 		HTTPPort:                httpPort,
@ -249,6 +257,7 @@ func (cg *ConfigGenerator) GenerateOlricConfig(serverBindAddr string, httpPort i
 		MemberlistEnvironment:   memberlistEnv,
 		MemberlistAdvertiseAddr: advertiseAddr,
 		Peers:                   peers,
 		EncryptionKey:           encryptionKey,
 	}
 	return templates.RenderOlricConfig(data)
 }
@ -323,6 +332,137 @@ func (sg *SecretGenerator) EnsureClusterSecret() (string, error) {
 	return secret, nil
 }
 // EnsureRQLiteAuth generates the RQLite auth credentials and JSON auth file.
 // Returns (username, password). The auth JSON file is written to secrets/rqlite-auth.json.
 func (sg *SecretGenerator) EnsureRQLiteAuth() (string, string, error) {
 	passwordPath := filepath.Join(sg.oramaDir, "secrets", "rqlite-password")
 	authFilePath := filepath.Join(sg.oramaDir, "secrets", "rqlite-auth.json")
 	secretDir := filepath.Dir(passwordPath)
 	username := "orama"
 	if err := os.MkdirAll(secretDir, 0700); err != nil {
 		return "", "", fmt.Errorf("failed to create secrets directory: %w", err)
 	}
 	if err := os.Chmod(secretDir, 0700); err != nil {
 		return "", "", fmt.Errorf("failed to set secrets directory permissions: %w", err)
 	}
 	// Try to read existing password
 	var password string
 	if data, err := os.ReadFile(passwordPath); err == nil {
 		password = strings.TrimSpace(string(data))
 	}
 	// Generate new password if needed
 	if password == "" {
 		bytes := make([]byte, 32)
 		if _, err := rand.Read(bytes); err != nil {
 			return "", "", fmt.Errorf("failed to generate RQLite password: %w", err)
 		}
 		password = hex.EncodeToString(bytes)
 		if err := os.WriteFile(passwordPath, []byte(password), 0600); err != nil {
 			return "", "", fmt.Errorf("failed to save RQLite password: %w", err)
 		}
 		if err := ensureSecretFilePermissions(passwordPath); err != nil {
 			return "", "", err
 		}
 	}
 	// Always regenerate the auth JSON file to ensure consistency
 	authJSON := fmt.Sprintf(`[{"username": "%s", "password": "%s", "perms": ["all"]}]`, username, password)
 	if err := os.WriteFile(authFilePath, []byte(authJSON), 0600); err != nil {
 		return "", "", fmt.Errorf("failed to save RQLite auth file: %w", err)
 	}
 	if err := ensureSecretFilePermissions(authFilePath); err != nil {
 		return "", "", err
 	}
 	return username, password, nil
 }
 // EnsureOlricEncryptionKey gets or generates a 32-byte encryption key for Olric memberlist gossip.
 // The key is stored as base64 on disk and returned as base64 (what Olric expects).
 func (sg *SecretGenerator) EnsureOlricEncryptionKey() (string, error) {
 	secretPath := filepath.Join(sg.oramaDir, "secrets", "olric-encryption-key")
 	secretDir := filepath.Dir(secretPath)
 	if err := os.MkdirAll(secretDir, 0700); err != nil {
 		return "", fmt.Errorf("failed to create secrets directory: %w", err)
 	}
 	if err := os.Chmod(secretDir, 0700); err != nil {
 		return "", fmt.Errorf("failed to set secrets directory permissions: %w", err)
 	}
 	// Try to read existing key
 	if data, err := os.ReadFile(secretPath); err == nil {
 		key := strings.TrimSpace(string(data))
 		if key != "" {
 			if err := ensureSecretFilePermissions(secretPath); err != nil {
 				return "", err
 			}
 			return key, nil
 		}
 	}
 	// Generate new 32-byte key, base64 encoded
 	keyBytes := make([]byte, 32)
 	if _, err := rand.Read(keyBytes); err != nil {
 		return "", fmt.Errorf("failed to generate Olric encryption key: %w", err)
 	}
 	key := base64.StdEncoding.EncodeToString(keyBytes)
 	if err := os.WriteFile(secretPath, []byte(key), 0600); err != nil {
 		return "", fmt.Errorf("failed to save Olric encryption key: %w", err)
 	}
 	if err := ensureSecretFilePermissions(secretPath); err != nil {
 		return "", err
 	}
 	return key, nil
 }
 // EnsureAPIKeyHMACSecret gets or generates the HMAC secret used to hash API keys.
 // The secret is a 32-byte random value stored as 64 hex characters.
 func (sg *SecretGenerator) EnsureAPIKeyHMACSecret() (string, error) {
 	secretPath := filepath.Join(sg.oramaDir, "secrets", "api-key-hmac-secret")
 	secretDir := filepath.Dir(secretPath)
 	if err := os.MkdirAll(secretDir, 0700); err != nil {
 		return "", fmt.Errorf("failed to create secrets directory: %w", err)
 	}
 	if err := os.Chmod(secretDir, 0700); err != nil {
 		return "", fmt.Errorf("failed to set secrets directory permissions: %w", err)
 	}
 	// Try to read existing secret
 	if data, err := os.ReadFile(secretPath); err == nil {
 		secret := strings.TrimSpace(string(data))
 		if len(secret) == 64 {
 			if err := ensureSecretFilePermissions(secretPath); err != nil {
 				return "", err
 			}
 			return secret, nil
 		}
 	}
 	// Generate new secret (32 bytes = 64 hex chars)
 	bytes := make([]byte, 32)
 	if _, err := rand.Read(bytes); err != nil {
 		return "", fmt.Errorf("failed to generate API key HMAC secret: %w", err)
 	}
 	secret := hex.EncodeToString(bytes)
 	if err := os.WriteFile(secretPath, []byte(secret), 0600); err != nil {
 		return "", fmt.Errorf("failed to save API key HMAC secret: %w", err)
 	}
 	if err := ensureSecretFilePermissions(secretPath); err != nil {
 		return "", err
 	}
 	return secret, nil
 }
 func ensureSecretFilePermissions(secretPath string) error {
 	if err := os.Chmod(secretPath, 0600); err != nil {
 		return fmt.Errorf("failed to set permissions on %s: %w", secretPath, err)
--- a/pkg/environments/production/firewall.go
+++ b/pkg/environments/production/firewall.go
@ -98,7 +98,12 @@ func (fp *FirewallProvisioner) GenerateRules() []string {
 	}
 	// Allow all traffic from WireGuard subnet (inter-node encrypted traffic)
-	rules = append(rules, "ufw allow from 10.0.0.0/8")
+	rules = append(rules, "ufw allow from 10.0.0.0/24")
 	// Disable IPv6 — no ip6tables rules exist, so services bound to 0.0.0.0
 	// may be reachable via IPv6. Disable it entirely at the kernel level.
 	rules = append(rules, "sysctl -w net.ipv6.conf.all.disable_ipv6=1")
 	rules = append(rules, "sysctl -w net.ipv6.conf.default.disable_ipv6=1")
 	// Enable firewall
 	rules = append(rules, "ufw --force enable")
@ -109,7 +114,7 @@ func (fp *FirewallProvisioner) GenerateRules() []string {
 	// can be misclassified as "invalid" by conntrack due to reordering/jitter
 	// (especially between high-latency peers), causing silent packet drops.
 	// Inserting at position 1 in INPUT ensures this runs before UFW chains.
-	rules = append(rules, "iptables -I INPUT 1 -i wg0 -s 10.0.0.0/8 -j ACCEPT")
+	rules = append(rules, "iptables -I INPUT 1 -i wg0 -s 10.0.0.0/24 -j ACCEPT")
 	return rules
 }
@ -130,6 +135,22 @@ func (fp *FirewallProvisioner) Setup() error {
 		}
 	}
 	// Persist IPv6 disable across reboots
 	if err := fp.persistIPv6Disable(); err != nil {
 		return fmt.Errorf("failed to persist IPv6 disable: %w", err)
 	}
 	return nil
 }
 // persistIPv6Disable writes a sysctl config to disable IPv6 on boot.
 func (fp *FirewallProvisioner) persistIPv6Disable() error {
 	content := "# Orama Network: disable IPv6 (no ip6tables rules configured)\nnet.ipv6.conf.all.disable_ipv6 = 1\nnet.ipv6.conf.default.disable_ipv6 = 1\n"
 	cmd := exec.Command("tee", "/etc/sysctl.d/99-orama-disable-ipv6.conf")
 	cmd.Stdin = strings.NewReader(content)
 	if output, err := cmd.CombinedOutput(); err != nil {
 		return fmt.Errorf("failed to write sysctl config: %w\n%s", err, string(output))
 	}
 	return nil
 }
--- a/pkg/environments/production/firewall_test.go
+++ b/pkg/environments/production/firewall_test.go
@ -18,9 +18,11 @@ func TestFirewallProvisioner_GenerateRules_StandardNode(t *testing.T) {
 	assertContainsRule(t, rules, "ufw allow 51820/udp")
 	assertContainsRule(t, rules, "ufw allow 80/tcp")
 	assertContainsRule(t, rules, "ufw allow 443/tcp")
-	assertContainsRule(t, rules, "ufw allow from 10.0.0.0/8")
+	assertContainsRule(t, rules, "ufw allow from 10.0.0.0/24")
 	assertContainsRule(t, rules, "sysctl -w net.ipv6.conf.all.disable_ipv6=1")
 	assertContainsRule(t, rules, "sysctl -w net.ipv6.conf.default.disable_ipv6=1")
 	assertContainsRule(t, rules, "ufw --force enable")
-	assertContainsRule(t, rules, "iptables -I INPUT 1 -i wg0 -s 10.0.0.0/8 -j ACCEPT")
+	assertContainsRule(t, rules, "iptables -I INPUT 1 -i wg0 -s 10.0.0.0/24 -j ACCEPT")
 	// Should NOT contain DNS or Anyone relay
 	for _, rule := range rules {
@ -76,7 +78,7 @@ func TestFirewallProvisioner_GenerateRules_WireGuardSubnetAllowed(t *testing.T)
 	rules := fp.GenerateRules()
-	assertContainsRule(t, rules, "ufw allow from 10.0.0.0/8")
+	assertContainsRule(t, rules, "ufw allow from 10.0.0.0/24")
 }
 func TestFirewallProvisioner_GenerateRules_FullConfig(t *testing.T) {
--- a/pkg/environments/production/installers/coredns.go
+++ b/pkg/environments/production/installers/coredns.go
@ -9,6 +9,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
 	"time"
 	"github.com/DeBrosOfficial/network/pkg/constants"
@ -323,8 +324,18 @@ rqlite:rqlite
 `
 }
-// generateCorefile creates the CoreDNS configuration (RQLite only)
+// generateCorefile creates the CoreDNS configuration (RQLite only).
 // If RQLite credentials exist on disk, they are included in the config.
 func (ci *CoreDNSInstaller) generateCorefile(domain, rqliteDSN string) string {
 	// Read RQLite credentials from secrets if available
 	authBlock := ""
 	if data, err := os.ReadFile("/opt/orama/.orama/secrets/rqlite-password"); err == nil {
 		password := strings.TrimSpace(string(data))
 		if password != "" {
 			authBlock = fmt.Sprintf("        username orama\n        password %s\n", password)
 		}
 	}
 	return fmt.Sprintf(`# CoreDNS configuration for %s
 # Uses RQLite for ALL DNS records (static + dynamic)
 # Static records (SOA, NS, A) are seeded into RQLite during installation
@ -336,7 +347,7 @@ func (ci *CoreDNSInstaller) generateCorefile(domain, rqliteDSN string) string {
        refresh 5s
        ttl 30
        cache_size 10000
-    }
+%s    }
    # Enable logging and error reporting
    log
@ -351,7 +362,7 @@ func (ci *CoreDNSInstaller) generateCorefile(domain, rqliteDSN string) string {
    cache 300
    errors
 }
-`, domain, domain, rqliteDSN)
+`, domain, domain, rqliteDSN, authBlock)
 }
 // seedStaticRecords inserts static zone records into RQLite (non-destructive)
--- a/pkg/environments/production/orchestrator.go
+++ b/pkg/environments/production/orchestrator.go
@ -1,6 +1,7 @@
 package production
 import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"os"
@ -256,6 +257,13 @@ func (ps *ProductionSetup) Phase2ProvisionEnvironment() error {
 	}
 	ps.logf("  ✓ Directory structure created")
 	// Create dedicated orama user for running services (non-root)
 	if err := ps.fsProvisioner.EnsureOramaUser(); err != nil {
 		ps.logf("  ⚠️  Could not create orama user: %v (services will run as root)", err)
 	} else {
 		ps.logf("  ✓ orama user ensured")
 	}
 	return nil
 }
@ -477,6 +485,11 @@ func (ps *ProductionSetup) Phase2cInitializeServices(peerAddresses []string, vps
 		return fmt.Errorf("failed to initialize IPFS Cluster: %w", err)
 	}
 	// After init, save own IPFS Cluster peer ID to trusted peers file
 	if err := ps.saveOwnClusterPeerID(clusterPath); err != nil {
 		ps.logf("  ⚠️  Could not save IPFS Cluster peer ID to trusted peers: %v", err)
 	}
 	// Initialize RQLite data directory
 	rqliteDataDir := filepath.Join(dataDir, "rqlite")
 	if err := ps.binaryInstaller.InitializeRQLiteDataDir(rqliteDataDir); err != nil {
@ -487,6 +500,50 @@ func (ps *ProductionSetup) Phase2cInitializeServices(peerAddresses []string, vps
 	return nil
 }
 // saveOwnClusterPeerID reads this node's IPFS Cluster peer ID from identity.json
 // and appends it to the trusted-peers file so EnsureConfig() can use it.
 func (ps *ProductionSetup) saveOwnClusterPeerID(clusterPath string) error {
 	identityPath := filepath.Join(clusterPath, "identity.json")
 	data, err := os.ReadFile(identityPath)
 	if err != nil {
 		return fmt.Errorf("failed to read identity.json: %w", err)
 	}
 	var identity struct {
 		ID string `json:"id"`
 	}
 	if err := json.Unmarshal(data, &identity); err != nil {
 		return fmt.Errorf("failed to parse identity.json: %w", err)
 	}
 	if identity.ID == "" {
 		return fmt.Errorf("peer ID not found in identity.json")
 	}
 	// Read existing trusted peers
 	trustedPeersPath := filepath.Join(ps.oramaDir, "secrets", "ipfs-cluster-trusted-peers")
 	var existing []string
 	if fileData, err := os.ReadFile(trustedPeersPath); err == nil {
 		for _, line := range strings.Split(strings.TrimSpace(string(fileData)), "\n") {
 			line = strings.TrimSpace(line)
 			if line != "" {
 				if line == identity.ID {
 					return nil // already present
 				}
 				existing = append(existing, line)
 			}
 		}
 	}
 	existing = append(existing, identity.ID)
 	content := strings.Join(existing, "\n") + "\n"
 	if err := os.WriteFile(trustedPeersPath, []byte(content), 0600); err != nil {
 		return fmt.Errorf("failed to write trusted peers file: %w", err)
 	}
 	ps.logf("  ✓ IPFS Cluster peer ID saved to trusted peers: %s", identity.ID)
 	return nil
 }
 // Phase3GenerateSecrets generates shared secrets and keys
 func (ps *ProductionSetup) Phase3GenerateSecrets() error {
 	ps.logf("Phase 3: Generating secrets...")
@ -503,6 +560,24 @@ func (ps *ProductionSetup) Phase3GenerateSecrets() error {
 	}
 	ps.logf("  ✓ IPFS swarm key ensured")
 	// RQLite auth credentials
 	if _, _, err := ps.secretGenerator.EnsureRQLiteAuth(); err != nil {
 		return fmt.Errorf("failed to ensure RQLite auth: %w", err)
 	}
 	ps.logf("  ✓ RQLite auth credentials ensured")
 	// Olric gossip encryption key
 	if _, err := ps.secretGenerator.EnsureOlricEncryptionKey(); err != nil {
 		return fmt.Errorf("failed to ensure Olric encryption key: %w", err)
 	}
 	ps.logf("  ✓ Olric encryption key ensured")
 	// API key HMAC secret
 	if _, err := ps.secretGenerator.EnsureAPIKeyHMACSecret(); err != nil {
 		return fmt.Errorf("failed to ensure API key HMAC secret: %w", err)
 	}
 	ps.logf("  ✓ API key HMAC secret ensured")
 	// Node identity (unified architecture)
 	peerID, err := ps.secretGenerator.EnsureNodeIdentity()
 	if err != nil {
--- a/pkg/environments/production/paths.go
+++ b/pkg/environments/production/paths.go
@ -14,6 +14,7 @@ const (
 	// Pre-built binary archive paths (created by `orama build`)
 	OramaManifest      = "/opt/orama/manifest.json"
 	OramaManifestSig   = "/opt/orama/manifest.sig"
 	OramaArchiveBin  = "/opt/orama/bin"       // Pre-built binaries
 	OramaSystemdDir  = "/opt/orama/systemd"   // Namespace service templates
 	OramaPackagesDir = "/opt/orama/packages"  // .deb packages (e.g., anon.deb)
--- a/pkg/environments/production/prebuilt.go
+++ b/pkg/environments/production/prebuilt.go
@ -1,12 +1,17 @@
 package production
 import (
 	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
 	ethcrypto "github.com/ethereum/go-ethereum/crypto"
 )
 // PreBuiltManifest describes the contents of a pre-built binary archive.
@ -40,6 +45,74 @@ func LoadPreBuiltManifest() (*PreBuiltManifest, error) {
 	return &manifest, nil
 }
 // OramaSignerAddress is the Ethereum address authorized to sign build archives.
 // Archives signed by any other address are rejected during install.
 // This is the DeBros deploy wallet — update if the signing key rotates.
 const OramaSignerAddress = "0x0000000000000000000000000000000000000000" // TODO: set real address
 // VerifyArchiveSignature verifies that the pre-built archive was signed by the
 // authorized Orama signer. Returns nil if the signature is valid, or if no
 // signature file exists (unsigned archives are allowed but logged as a warning).
 func VerifyArchiveSignature(manifest *PreBuiltManifest) error {
 	sigData, err := os.ReadFile(OramaManifestSig)
 	if os.IsNotExist(err) {
 		return nil // unsigned archive — caller decides whether to proceed
 	}
 	if err != nil {
 		return fmt.Errorf("failed to read manifest.sig: %w", err)
 	}
 	// Reproduce the same hash used during signing: SHA256 of compact JSON
 	manifestJSON, err := json.Marshal(manifest)
 	if err != nil {
 		return fmt.Errorf("failed to marshal manifest: %w", err)
 	}
 	manifestHash := sha256.Sum256(manifestJSON)
 	hashHex := hex.EncodeToString(manifestHash[:])
 	// EVM personal_sign: keccak256("\x19Ethereum Signed Message:\n" + len + message)
 	msg := []byte(hashHex)
 	prefix := []byte("\x19Ethereum Signed Message:\n" + fmt.Sprintf("%d", len(msg)))
 	ethHash := ethcrypto.Keccak256(prefix, msg)
 	// Decode signature
 	sigHex := strings.TrimSpace(string(sigData))
 	if strings.HasPrefix(sigHex, "0x") || strings.HasPrefix(sigHex, "0X") {
 		sigHex = sigHex[2:]
 	}
 	sig, err := hex.DecodeString(sigHex)
 	if err != nil || len(sig) != 65 {
 		return fmt.Errorf("invalid signature format in manifest.sig")
 	}
 	// Normalize recovery ID
 	if sig[64] >= 27 {
 		sig[64] -= 27
 	}
 	// Recover public key from signature
 	pub, err := ethcrypto.SigToPub(ethHash, sig)
 	if err != nil {
 		return fmt.Errorf("signature recovery failed: %w", err)
 	}
 	recovered := ethcrypto.PubkeyToAddress(*pub).Hex()
 	expected := strings.ToLower(OramaSignerAddress)
 	got := strings.ToLower(recovered)
 	if got != expected {
 		return fmt.Errorf("archive signed by %s, expected %s — refusing to install", recovered, OramaSignerAddress)
 	}
 	return nil
 }
 // IsArchiveSigned returns true if a manifest.sig file exists alongside the manifest.
 func IsArchiveSigned() bool {
 	_, err := os.Stat(OramaManifestSig)
 	return err == nil
 }
 // installFromPreBuilt installs all binaries from a pre-built archive.
 // The archive must already be extracted at /opt/orama/ with:
 //   - /opt/orama/bin/ — all pre-compiled binaries
@ -49,6 +122,16 @@ func LoadPreBuiltManifest() (*PreBuiltManifest, error) {
 func (ps *ProductionSetup) installFromPreBuilt(manifest *PreBuiltManifest) error {
 	ps.logf("  Using pre-built binary archive v%s (%s) linux/%s", manifest.Version, manifest.Commit, manifest.Arch)
 	// Verify archive signature if present
 	if IsArchiveSigned() {
 		if err := VerifyArchiveSignature(manifest); err != nil {
 			return fmt.Errorf("archive signature verification failed: %w", err)
 		}
 		ps.logf("  ✓ Archive signature verified")
 	} else {
 		ps.logf("  ⚠️  Archive is unsigned — consider using 'orama build --sign'")
 	}
 	// Install minimal system dependencies (no build tools needed)
 	if err := ps.installMinimalSystemDeps(); err != nil {
 		ps.logf("  ⚠️  System dependencies warning: %v", err)
--- a/pkg/environments/production/provisioner.go
+++ b/pkg/environments/production/provisioner.go
@ -83,6 +83,38 @@ func (fp *FilesystemProvisioner) EnsureDirectoryStructure() error {
 	return nil
 }
 // EnsureOramaUser creates the 'orama' system user and group for running services.
 // Sets ownership of the orama data directory to the new user.
 func (fp *FilesystemProvisioner) EnsureOramaUser() error {
 	// Check if user already exists
 	if err := exec.Command("id", "orama").Run(); err == nil {
 		return nil // user already exists
 	}
 	// Create system user with no login shell and home at /opt/orama
 	cmd := exec.Command("useradd", "--system", "--no-create-home",
 		"--home-dir", fp.oramaHome, "--shell", "/usr/sbin/nologin", "orama")
 	if output, err := cmd.CombinedOutput(); err != nil {
 		return fmt.Errorf("failed to create orama user: %w\n%s", err, string(output))
 	}
 	// Set ownership of orama directories
 	chown := exec.Command("chown", "-R", "orama:orama", fp.oramaDir)
 	if output, err := chown.CombinedOutput(); err != nil {
 		return fmt.Errorf("failed to chown %s: %w\n%s", fp.oramaDir, err, string(output))
 	}
 	// Also chown the bin directory
 	binDir := filepath.Join(fp.oramaHome, "bin")
 	if _, err := os.Stat(binDir); err == nil {
 		chown = exec.Command("chown", "-R", "orama:orama", binDir)
 		if output, err := chown.CombinedOutput(); err != nil {
 			return fmt.Errorf("failed to chown %s: %w\n%s", binDir, err, string(output))
 		}
 	}
 	return nil
 }
 // StateDetector checks for existing production state
 type StateDetector struct {
--- a/pkg/environments/production/services.go
+++ b/pkg/environments/production/services.go
@ -8,6 +8,17 @@ import (
 	"strings"
 )
 // oramaServiceHardening contains common systemd security directives for orama services.
 const oramaServiceHardening = `User=orama
 Group=orama
 ProtectSystem=strict
 ProtectHome=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 RestrictNamespaces=yes`
 // SystemdServiceGenerator generates systemd unit files
 type SystemdServiceGenerator struct {
 	oramaHome string
@ -34,6 +45,8 @@ Wants=network-online.target
 [Service]
 Type=simple
 %[6]s
 ReadWritePaths=%[3]s
 Environment=HOME=%[1]s
 Environment=IPFS_PATH=%[2]s
 ExecStartPre=/bin/bash -c 'if [ -f %[3]s/secrets/swarm.key ] && [ ! -f %[2]s/swarm.key ]; then cp %[3]s/secrets/swarm.key %[2]s/swarm.key && chmod 600 %[2]s/swarm.key; fi'
@ -52,7 +65,7 @@ MemoryMax=4G
 [Install]
 WantedBy=multi-user.target
-`, ssg.oramaHome, ipfsRepoPath, ssg.oramaDir, logFile, ipfsBinary)
+`, ssg.oramaHome, ipfsRepoPath, ssg.oramaDir, logFile, ipfsBinary, oramaServiceHardening)
 }
 // GenerateIPFSClusterService generates the IPFS Cluster systemd unit
@ -75,6 +88,8 @@ Requires=orama-ipfs.service
 [Service]
 Type=simple
 %[6]s
 ReadWritePaths=%[7]s
 WorkingDirectory=%[1]s
 Environment=HOME=%[1]s
 Environment=IPFS_CLUSTER_PATH=%[2]s
@ -96,7 +111,7 @@ MemoryMax=2G
 [Install]
 WantedBy=multi-user.target
-`, ssg.oramaHome, clusterPath, logFile, clusterBinary, clusterSecret)
+`, ssg.oramaHome, clusterPath, logFile, clusterBinary, clusterSecret, oramaServiceHardening, ssg.oramaDir)
 }
 // GenerateRQLiteService generates the RQLite systemd unit
@ -128,6 +143,8 @@ Wants=network-online.target
 [Service]
 Type=simple
 %[6]s
 ReadWritePaths=%[7]s
 Environment=HOME=%[1]s
 ExecStart=%[5]s %[2]s
 Restart=always
@ -143,7 +160,7 @@ KillMode=mixed
 [Install]
 WantedBy=multi-user.target
-`, ssg.oramaHome, args, logFile, dataDir, rqliteBinary)
+`, ssg.oramaHome, args, logFile, dataDir, rqliteBinary, oramaServiceHardening, ssg.oramaDir)
 }
 // GenerateOlricService generates the Olric systemd unit
@ -158,6 +175,8 @@ Wants=network-online.target
 [Service]
 Type=simple
 %[6]s
 ReadWritePaths=%[4]s
 Environment=HOME=%[1]s
 Environment=OLRIC_SERVER_CONFIG=%[2]s
 ExecStart=%[5]s
@ -175,7 +194,7 @@ MemoryMax=4G
 [Install]
 WantedBy=multi-user.target
-`, ssg.oramaHome, olricConfigPath, logFile, ssg.oramaDir, olricBinary)
+`, ssg.oramaHome, olricConfigPath, logFile, ssg.oramaDir, olricBinary, oramaServiceHardening)
 }
 // GenerateNodeService generates the Orama Node systemd unit
@ -193,6 +212,8 @@ Requires=wg-quick@wg0.service
 [Service]
 Type=simple
 %[5]s
 ReadWritePaths=%[2]s
 WorkingDirectory=%[1]s
 Environment=HOME=%[1]s
 ExecStart=%[1]s/bin/orama-node --config %[2]s/configs/%[3]s
@ -211,7 +232,7 @@ OOMScoreAdjust=-500
 [Install]
 WantedBy=multi-user.target
-`, ssg.oramaHome, ssg.oramaDir, configFile, logFile)
+`, ssg.oramaHome, ssg.oramaDir, configFile, logFile, oramaServiceHardening)
 }
 // GenerateVaultService generates the Orama Vault Guardian systemd unit.
@ -230,6 +251,16 @@ PartOf=orama-node.service
 [Service]
 Type=simple
 User=orama
 Group=orama
 ProtectSystem=strict
 ProtectHome=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 RestrictNamespaces=yes
 ReadWritePaths=%[2]s
 ExecStart=%[1]s/bin/vault-guardian --config %[2]s/vault.yaml
 Restart=on-failure
 RestartSec=5
@ -238,9 +269,6 @@ StandardError=append:%[3]s
 SyslogIdentifier=orama-vault
 PrivateTmp=yes
 ProtectSystem=strict
 ReadWritePaths=%[2]s
 NoNewPrivileges=yes
 LimitMEMLOCK=67108864
 MemoryMax=512M
 TimeoutStopSec=30
@ -261,6 +289,8 @@ Wants=orama-node.service orama-olric.service
 [Service]
 Type=simple
 %[4]s
 ReadWritePaths=%[2]s
 WorkingDirectory=%[1]s
 Environment=HOME=%[1]s
 ExecStart=%[1]s/bin/gateway --config %[2]s/data/gateway.yaml
@ -278,7 +308,7 @@ MemoryMax=4G
 [Install]
 WantedBy=multi-user.target
-`, ssg.oramaHome, ssg.oramaDir, logFile)
+`, ssg.oramaHome, ssg.oramaDir, logFile, oramaServiceHardening)
 }
 // GenerateAnyoneClientService generates the Anyone Client SOCKS5 proxy systemd unit.
@ -353,7 +383,7 @@ WantedBy=multi-user.target
 // GenerateCoreDNSService generates the CoreDNS systemd unit
 func (ssg *SystemdServiceGenerator) GenerateCoreDNSService() string {
-	return `[Unit]
+	return fmt.Sprintf(`[Unit]
 Description=CoreDNS DNS Server with RQLite backend
 Documentation=https://coredns.io
 After=network-online.target orama-node.service
@ -361,11 +391,16 @@ Wants=network-online.target orama-node.service
 [Service]
 Type=simple
 %[1]s
 ReadWritePaths=%[2]s
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 ExecStart=/usr/local/bin/coredns -conf /etc/coredns/Corefile
 Restart=on-failure
 RestartSec=5
 SyslogIdentifier=coredns
 PrivateTmp=yes
 LimitNOFILE=65536
 TimeoutStopSec=30
 KillMode=mixed
@ -373,12 +408,12 @@ MemoryMax=1G
 [Install]
 WantedBy=multi-user.target
-`
+`, oramaServiceHardening, ssg.oramaDir)
 }
 // GenerateCaddyService generates the Caddy systemd unit for SSL/TLS
 func (ssg *SystemdServiceGenerator) GenerateCaddyService() string {
-	return `[Unit]
+	return fmt.Sprintf(`[Unit]
 Description=Caddy HTTP/2 Server
 Documentation=https://caddyserver.com/docs/
 After=network-online.target orama-node.service coredns.service
@ -387,6 +422,10 @@ Wants=orama-node.service
 [Service]
 Type=simple
 %[1]s
 ReadWritePaths=%[2]s /var/lib/caddy /etc/caddy
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
 ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
 TimeoutStopSec=5s
@ -401,7 +440,7 @@ MemoryMax=2G
 [Install]
 WantedBy=multi-user.target
-`
+`, oramaServiceHardening, ssg.oramaDir)
 }
 // SystemdController manages systemd service operations
--- a/pkg/environments/production/wireguard.go
+++ b/pkg/environments/production/wireguard.go
@ -117,8 +117,8 @@ func (wp *WireGuardProvisioner) GenerateConfig() string {
 	// Accept all WireGuard subnet traffic before UFW's conntrack "invalid" drop.
 	// Without this, packets reordered by the tunnel get silently dropped.
-	sb.WriteString("PostUp = iptables -I INPUT 1 -i wg0 -s 10.0.0.0/8 -j ACCEPT\n")
+	sb.WriteString("PostUp = iptables -I INPUT 1 -i wg0 -s 10.0.0.0/24 -j ACCEPT\n")
-	sb.WriteString("PostDown = iptables -D INPUT -i wg0 -s 10.0.0.0/8 -j ACCEPT\n")
+	sb.WriteString("PostDown = iptables -D INPUT -i wg0 -s 10.0.0.0/24 -j ACCEPT\n")
 	for _, peer := range wp.config.Peers {
 		sb.WriteString("\n[Peer]\n")
--- a/pkg/environments/production/wireguard_test.go
+++ b/pkg/environments/production/wireguard_test.go
@ -95,10 +95,10 @@ func TestWireGuardProvisioner_GenerateConfig_NoPeers(t *testing.T) {
 	if !strings.Contains(config, "PrivateKey = dGVzdHByaXZhdGVrZXl0ZXN0cHJpdmF0ZWtleXM=") {
 		t.Error("config should contain PrivateKey")
 	}
-	if !strings.Contains(config, "PostUp = iptables -I INPUT 1 -i wg0 -s 10.0.0.0/8 -j ACCEPT") {
+	if !strings.Contains(config, "PostUp = iptables -I INPUT 1 -i wg0 -s 10.0.0.0/24 -j ACCEPT") {
 		t.Error("config should contain PostUp iptables rule for WireGuard subnet")
 	}
-	if !strings.Contains(config, "PostDown = iptables -D INPUT -i wg0 -s 10.0.0.0/8 -j ACCEPT") {
+	if !strings.Contains(config, "PostDown = iptables -D INPUT -i wg0 -s 10.0.0.0/24 -j ACCEPT") {
 		t.Error("config should contain PostDown iptables cleanup rule")
 	}
 	if strings.Contains(config, "[Peer]") {
--- a/pkg/environments/templates/olric.yaml
+++ b/pkg/environments/templates/olric.yaml
@ -15,3 +15,6 @@ memberlist:
    - "{{.}}"
 {{- end}}
 {{- end}}
 {{- if .EncryptionKey}}
  encryptionKey: "{{.EncryptionKey}}"
 {{- end}}
--- a/pkg/environments/templates/render.go
+++ b/pkg/environments/templates/render.go
@ -65,6 +65,7 @@ type OlricConfigData struct {
 	MemberlistEnvironment   string   // "local", "lan", or "wan"
 	MemberlistAdvertiseAddr string   // Advertise address (WG IP) so other nodes can reach us
 	Peers                   []string // Seed peers for memberlist (host:port)
 	EncryptionKey           string   // Base64-encoded 32-byte key for memberlist gossip encryption (empty = no encryption)
 }
 // SystemdIPFSData holds parameters for systemd IPFS service rendering
--- a/pkg/environments/templates/systemd_gateway.service
+++ b/pkg/environments/templates/systemd_gateway.service
@ -5,6 +5,16 @@ Wants=orama-node.service
 [Service]
 Type=simple
 User=orama
 Group=orama
 ProtectSystem=strict
 ProtectHome=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 RestrictNamespaces=yes
 ReadWritePaths={{.OramaDir}}
 WorkingDirectory={{.HomeDir}}
 Environment=HOME={{.HomeDir}}
 ExecStart={{.HomeDir}}/bin/gateway --config {{.OramaDir}}/data/gateway.yaml
--- a/pkg/environments/templates/systemd_ipfs.service
+++ b/pkg/environments/templates/systemd_ipfs.service
@ -5,6 +5,16 @@ Wants=network-online.target
 [Service]
 Type=simple
 User=orama
 Group=orama
 ProtectSystem=strict
 ProtectHome=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 RestrictNamespaces=yes
 ReadWritePaths={{.IPFSRepoPath}} {{.OramaDir}}
 Environment=HOME={{.HomeDir}}
 Environment=IPFS_PATH={{.IPFSRepoPath}}
 ExecStartPre=/bin/bash -c 'if [ -f {{.SecretsDir}}/swarm.key ] && [ ! -f {{.IPFSRepoPath}}/swarm.key ]; then cp {{.SecretsDir}}/swarm.key {{.IPFSRepoPath}}/swarm.key && chmod 600 {{.IPFSRepoPath}}/swarm.key; fi'
--- a/pkg/environments/templates/systemd_ipfs_cluster.service
+++ b/pkg/environments/templates/systemd_ipfs_cluster.service
@ -6,6 +6,16 @@ Requires=orama-ipfs-{{.NodeType}}.service
 [Service]
 Type=simple
 User=orama
 Group=orama
 ProtectSystem=strict
 ProtectHome=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 RestrictNamespaces=yes
 ReadWritePaths={{.ClusterPath}} {{.OramaDir}}
 WorkingDirectory={{.HomeDir}}
 Environment=HOME={{.HomeDir}}
 Environment=CLUSTER_PATH={{.ClusterPath}}
--- a/pkg/environments/templates/systemd_node.service
+++ b/pkg/environments/templates/systemd_node.service
@ -6,6 +6,16 @@ Requires=orama-ipfs-cluster-{{.NodeType}}.service
 [Service]
 Type=simple
 User=orama
 Group=orama
 ProtectSystem=strict
 ProtectHome=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 RestrictNamespaces=yes
 ReadWritePaths={{.OramaDir}}
 WorkingDirectory={{.HomeDir}}
 Environment=HOME={{.HomeDir}}
 ExecStart={{.HomeDir}}/bin/orama-node --config {{.OramaDir}}/configs/{{.ConfigFile}}
--- a/pkg/environments/templates/systemd_olric.service
+++ b/pkg/environments/templates/systemd_olric.service
@ -5,6 +5,16 @@ Wants=network-online.target
 [Service]
 Type=simple
 User=orama
 Group=orama
 ProtectSystem=strict
 ProtectHome=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 RestrictNamespaces=yes
 ReadWritePaths={{.OramaDir}}
 Environment=HOME={{.HomeDir}}
 Environment=OLRIC_SERVER_CONFIG={{.ConfigPath}}
 ExecStart=/usr/local/bin/olric-server
--- a/pkg/gateway/auth/crypto.go
+++ b/pkg/gateway/auth/crypto.go
@ -0,0 +1,24 @@
 package auth
 import (
 	"crypto/hmac"
 	"crypto/sha256"
 	"encoding/hex"
 )
 // sha256Hex returns the lowercase hex-encoded SHA-256 hash of the input string.
 // Used to hash refresh tokens before storage — deterministic so we can hash on
 // insert and hash on lookup without storing the raw token.
 func sha256Hex(s string) string {
 	h := sha256.Sum256([]byte(s))
 	return hex.EncodeToString(h[:])
 }
 // HmacSHA256Hex computes HMAC-SHA256 of data with the given secret key and
 // returns the result as a lowercase hex string. Used for API key hashing —
 // fast and deterministic, allowing direct DB lookup by hash.
 func HmacSHA256Hex(data, secret string) string {
 	mac := hmac.New(sha256.New, []byte(secret))
 	mac.Write([]byte(data))
 	return hex.EncodeToString(mac.Sum(nil))
 }
--- a/pkg/gateway/auth/service.go
+++ b/pkg/gateway/auth/service.go
@ -32,6 +32,7 @@ type Service struct {
 	edKeyID          string
 	preferEdDSA      bool
 	defaultNS        string
 	apiKeyHMACSecret string // HMAC secret for hashing API keys before storage
 }
 func NewService(logger *logging.ColoredLogger, orm client.NetworkClient, signingKeyPEM string, defaultNS string) (*Service, error) {
@ -61,6 +62,21 @@ func NewService(logger *logging.ColoredLogger, orm client.NetworkClient, signing
 	return s, nil
 }
 // SetAPIKeyHMACSecret configures the HMAC secret used to hash API keys before storage.
 // When set, API keys are stored as HMAC-SHA256(key, secret) in the database.
 func (s *Service) SetAPIKeyHMACSecret(secret string) {
 	s.apiKeyHMACSecret = secret
 }
 // HashAPIKey returns the HMAC-SHA256 hash of an API key if the HMAC secret is set,
 // or returns the raw key for backward compatibility during rolling upgrade.
 func (s *Service) HashAPIKey(key string) string {
 	if s.apiKeyHMACSecret == "" {
 		return key
 	}
 	return HmacSHA256Hex(key, s.apiKeyHMACSecret)
 }
 // SetEdDSAKey configures an Ed25519 signing key for EdDSA JWT support.
 // When set, new tokens are signed with EdDSA; RS256 is still accepted for verification.
 func (s *Service) SetEdDSAKey(privKey ed25519.PrivateKey) {
@ -207,9 +223,10 @@ func (s *Service) IssueTokens(ctx context.Context, wallet, namespace string) (st
 	internalCtx := client.WithInternalAuth(ctx)
 	db := s.orm.Database()
 	hashedRefresh := sha256Hex(refresh)
 	if _, err := db.Query(internalCtx,
 		"INSERT INTO refresh_tokens(namespace_id, subject, token, audience, expires_at) VALUES (?, ?, ?, ?, datetime('now', '+30 days'))",
-		nsID, wallet, refresh, "gateway",
+		nsID, wallet, hashedRefresh, "gateway",
 	); err != nil {
 		return "", "", 0, fmt.Errorf("failed to store refresh token: %w", err)
 	}
@ -227,8 +244,9 @@ func (s *Service) RefreshToken(ctx context.Context, refreshToken, namespace stri
 		return "", "", 0, err
 	}
 	hashedRefresh := sha256Hex(refreshToken)
 	q := "SELECT subject FROM refresh_tokens WHERE namespace_id = ? AND token = ? AND revoked_at IS NULL AND (expires_at IS NULL OR expires_at > datetime('now')) LIMIT 1"
-	res, err := db.Query(internalCtx, q, nsID, refreshToken)
+	res, err := db.Query(internalCtx, q, nsID, hashedRefresh)
 	if err != nil || res == nil || res.Count == 0 {
 		return "", "", 0, fmt.Errorf("invalid or expired refresh token")
 	}
@ -262,7 +280,8 @@ func (s *Service) RevokeToken(ctx context.Context, namespace, token string, all
 	}
 	if token != "" {
-		_, err := db.Query(internalCtx, "UPDATE refresh_tokens SET revoked_at = datetime('now') WHERE namespace_id = ? AND token = ? AND revoked_at IS NULL", nsID, token)
+		hashedToken := sha256Hex(token)
 		_, err := db.Query(internalCtx, "UPDATE refresh_tokens SET revoked_at = datetime('now') WHERE namespace_id = ? AND token = ? AND revoked_at IS NULL", nsID, hashedToken)
 		return err
 	}
@ -335,19 +354,21 @@ func (s *Service) GetOrCreateAPIKey(ctx context.Context, wallet, namespace strin
 	}
 	apiKey = "ak_" + base64.RawURLEncoding.EncodeToString(buf) + ":" + namespace
-	if _, err := db.Query(internalCtx, "INSERT INTO api_keys(key, name, namespace_id) VALUES (?, ?, ?)", apiKey, "", nsID); err != nil {
+	// Store the HMAC hash of the key (not the raw key) if HMAC secret is configured
 	hashedKey := s.HashAPIKey(apiKey)
 	if _, err := db.Query(internalCtx, "INSERT INTO api_keys(key, name, namespace_id) VALUES (?, ?, ?)", hashedKey, "", nsID); err != nil {
 		return "", fmt.Errorf("failed to store api key: %w", err)
 	}
 	// Link wallet -> api_key
-	rid, err := db.Query(internalCtx, "SELECT id FROM api_keys WHERE key = ? LIMIT 1", apiKey)
+	rid, err := db.Query(internalCtx, "SELECT id FROM api_keys WHERE key = ? LIMIT 1", hashedKey)
 	if err == nil && rid != nil && rid.Count > 0 && len(rid.Rows) > 0 && len(rid.Rows[0]) > 0 {
 		apiKeyID := rid.Rows[0][0]
 		_, _ = db.Query(internalCtx, "INSERT OR IGNORE INTO wallet_api_keys(namespace_id, wallet, api_key_id) VALUES (?, ?, ?)", nsID, strings.ToLower(wallet), apiKeyID)
 	}
-	// Record ownerships
+	// Record ownerships — store the hash in ownership too
-	_, _ = db.Query(internalCtx, "INSERT OR IGNORE INTO namespace_ownership(namespace_id, owner_type, owner_id) VALUES (?, 'api_key', ?)", nsID, apiKey)
+	_, _ = db.Query(internalCtx, "INSERT OR IGNORE INTO namespace_ownership(namespace_id, owner_type, owner_id) VALUES (?, 'api_key', ?)", nsID, hashedKey)
 	_, _ = db.Query(internalCtx, "INSERT OR IGNORE INTO namespace_ownership(namespace_id, owner_type, owner_id) VALUES (?, 'wallet', ?)", nsID, wallet)
 	return apiKey, nil
--- a/pkg/gateway/config.go
+++ b/pkg/gateway/config.go
@ -39,9 +39,18 @@ type Config struct {
 	IPFSReplicationFactor int           // Replication factor for pins (default: 3)
 	IPFSEnableEncryption  bool          // Enable client-side encryption before upload (default: true, discovered from node configs)
 	// RQLite authentication (basic auth credentials embedded in DSN)
 	RQLiteUsername string // RQLite HTTP basic auth username (default: "orama")
 	RQLitePassword string // RQLite HTTP basic auth password
 	// WireGuard mesh configuration
 	ClusterSecret string // Cluster secret for authenticating internal WireGuard peer exchange
 	// API key HMAC secret for hashing API keys before storage.
 	// When set, API keys are stored as HMAC-SHA256(key, secret) in the database.
 	// Loaded from ~/.orama/secrets/api-key-hmac-secret.
 	APIKeyHMACSecret string
 	// WebRTC configuration (set when namespace has WebRTC enabled)
 	WebRTCEnabled bool   // Whether WebRTC endpoints are active on this gateway
 	SFUPort       int    // Local SFU signaling port to proxy WebSocket connections to
--- a/pkg/gateway/dependencies.go
+++ b/pkg/gateway/dependencies.go
@ -86,6 +86,7 @@ func NewDependencies(logger *logging.ColoredLogger, cfg *Config) (*Dependencies,
 		if dsn == "" {
 			dsn = "http://localhost:5001"
 		}
 		dsn = injectRQLiteAuth(dsn, cfg.RQLiteUsername, cfg.RQLitePassword)
 		cliCfg.DatabaseEndpoints = []string{dsn}
 	}
@ -136,6 +137,9 @@ func initializeRQLite(logger *logging.ColoredLogger, cfg *Config, deps *Dependen
 		dsn = "http://localhost:5001"
 	}
 	// Inject basic auth credentials into DSN if available
 	dsn = injectRQLiteAuth(dsn, cfg.RQLiteUsername, cfg.RQLitePassword)
 	if strings.Contains(dsn, "?") {
 		dsn += "&disableClusterDiscovery=true&level=none"
 	} else {
@ -483,6 +487,12 @@ func initializeServerless(logger *logging.ColoredLogger, cfg *Config, deps *Depe
 		logger.ComponentInfo(logging.ComponentGeneral, "EdDSA signing key loaded; new JWTs will use EdDSA")
 	}
 	// Configure API key HMAC secret if available
 	if cfg.APIKeyHMACSecret != "" {
 		authService.SetAPIKeyHMACSecret(cfg.APIKeyHMACSecret)
 		logger.ComponentInfo(logging.ComponentGeneral, "API key HMAC secret loaded; new API keys will be hashed")
 	}
 	deps.AuthService = authService
 	logger.ComponentInfo(logging.ComponentGeneral, "Serverless function engine ready",
@ -660,3 +670,19 @@ func discoverIPFSFromNodeConfigs(logger *zap.Logger) ipfsDiscoveryResult {
 	return ipfsDiscoveryResult{}
 }
 // injectRQLiteAuth injects HTTP basic auth credentials into a RQLite DSN URL.
 // If username or password is empty, the DSN is returned unchanged.
 // Input: "http://localhost:5001" → Output: "http://orama:secret@localhost:5001"
 func injectRQLiteAuth(dsn, username, password string) string {
 	if username == "" || password == "" {
 		return dsn
 	}
 	// Insert user:pass@ after the scheme (http:// or https://)
 	for _, scheme := range []string{"https://", "http://"} {
 		if strings.HasPrefix(dsn, scheme) {
 			return scheme + username + ":" + password + "@" + dsn[len(scheme):]
 		}
 	}
 	return dsn
 }
--- a/pkg/gateway/gateway.go
+++ b/pkg/gateway/gateway.go
@ -313,7 +313,7 @@ func New(logger *logging.ColoredLogger, cfg *Config) (*Gateway, error) {
 		// Create client config for global namespace
 		authCfg := client.DefaultClientConfig("default") // Use "default" namespace for global
-		authCfg.DatabaseEndpoints = []string{cfg.GlobalRQLiteDSN}
+		authCfg.DatabaseEndpoints = []string{injectRQLiteAuth(cfg.GlobalRQLiteDSN, cfg.RQLiteUsername, cfg.RQLitePassword)}
 		if len(cfg.BootstrapPeers) > 0 {
 			authCfg.BootstrapPeers = cfg.BootstrapPeers
 		}
--- a/pkg/gateway/handlers/join/handler.go
+++ b/pkg/gateway/handlers/join/handler.go
@ -34,11 +34,15 @@ type JoinResponse struct {
 	// Secrets
 	ClusterSecret    string `json:"cluster_secret"`
 	SwarmKey         string `json:"swarm_key"`
 	APIKeyHMACSecret string `json:"api_key_hmac_secret,omitempty"`
 	RQLitePassword      string `json:"rqlite_password,omitempty"`
 	OlricEncryptionKey  string `json:"olric_encryption_key,omitempty"`
 	// Cluster join info (all using WG IPs)
 	RQLiteJoinAddress  string   `json:"rqlite_join_address"`
 	IPFSPeer           PeerInfo `json:"ipfs_peer"`
 	IPFSClusterPeer    PeerInfo `json:"ipfs_cluster_peer"`
 	IPFSClusterPeerIDs []string `json:"ipfs_cluster_peer_ids,omitempty"`
 	BootstrapPeers     []string `json:"bootstrap_peers"`
 	// Olric seed peers (WG IP:port for memberlist)
@ -155,6 +159,24 @@ func (h *Handler) HandleJoin(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	// Read API key HMAC secret (optional — may not exist on older clusters)
 	apiKeyHMACSecret := ""
 	if data, err := os.ReadFile(h.oramaDir + "/secrets/api-key-hmac-secret"); err == nil {
 		apiKeyHMACSecret = strings.TrimSpace(string(data))
 	}
 	// Read RQLite password (optional — may not exist on older clusters)
 	rqlitePassword := ""
 	if data, err := os.ReadFile(h.oramaDir + "/secrets/rqlite-password"); err == nil {
 		rqlitePassword = strings.TrimSpace(string(data))
 	}
 	// Read Olric encryption key (optional — may not exist on older clusters)
 	olricEncryptionKey := ""
 	if data, err := os.ReadFile(h.oramaDir + "/secrets/olric-encryption-key"); err == nil {
 		olricEncryptionKey = strings.TrimSpace(string(data))
 	}
 	// 7. Get all WG peers
 	wgPeers, err := h.getWGPeers(ctx, req.WGPublicKey)
 	if err != nil {
@ -181,6 +203,9 @@ func (h *Handler) HandleJoin(w http.ResponseWriter, r *http.Request) {
 	// 11. Read base domain from config
 	baseDomain := h.readBaseDomain()
 	// 12. Read IPFS Cluster trusted peer IDs
 	ipfsClusterPeerIDs := h.readIPFSClusterTrustedPeers()
 	// Build Olric seed peers from all existing WG peer IPs (memberlist port 3322)
 	var olricPeers []string
 	for _, p := range wgPeers {
@ -195,9 +220,13 @@ func (h *Handler) HandleJoin(w http.ResponseWriter, r *http.Request) {
 		WGPeers:            wgPeers,
 		ClusterSecret:      strings.TrimSpace(string(clusterSecret)),
 		SwarmKey:            strings.TrimSpace(string(swarmKey)),
 		APIKeyHMACSecret:   apiKeyHMACSecret,
 		RQLitePassword:     rqlitePassword,
 		OlricEncryptionKey: olricEncryptionKey,
 		RQLiteJoinAddress:  fmt.Sprintf("%s:7001", myWGIP),
 		IPFSPeer:           ipfsPeer,
 		IPFSClusterPeer:    ipfsClusterPeer,
 		IPFSClusterPeerIDs: ipfsClusterPeerIDs,
 		BootstrapPeers:     bootstrapPeers,
 		OlricPeers:         olricPeers,
 		BaseDomain:         baseDomain,
@ -454,6 +483,22 @@ func (h *Handler) buildBootstrapPeers(myWGIP, ipfsPeerID string) []string {
 	}
 }
 // readIPFSClusterTrustedPeers reads IPFS Cluster trusted peer IDs from the secrets file
 func (h *Handler) readIPFSClusterTrustedPeers() []string {
 	data, err := os.ReadFile(h.oramaDir + "/secrets/ipfs-cluster-trusted-peers")
 	if err != nil {
 		return nil
 	}
 	var peers []string
 	for _, line := range strings.Split(strings.TrimSpace(string(data)), "\n") {
 		line = strings.TrimSpace(line)
 		if line != "" {
 			peers = append(peers, line)
 		}
 	}
 	return peers
 }
 // readBaseDomain reads the base domain from node config
 func (h *Handler) readBaseDomain() string {
 	data, err := os.ReadFile(h.oramaDir + "/configs/node.yaml")
--- a/pkg/gateway/handlers/pubsub/ws_client.go
+++ b/pkg/gateway/handlers/pubsub/ws_client.go
@ -4,6 +4,8 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"net/http"
 	"net/url"
 	"strings"
 	"time"
 	"github.com/DeBrosOfficial/network/pkg/logging"
@ -14,8 +16,29 @@ import (
 var wsUpgrader = websocket.Upgrader{
 	ReadBufferSize:  1024,
 	WriteBufferSize: 1024,
-	// For early development we accept any origin; tighten later.
+	CheckOrigin:     checkWSOrigin,
-	CheckOrigin: func(r *http.Request) bool { return true },
+}
 // checkWSOrigin validates WebSocket origins against the request's Host header.
 // Non-browser clients (no Origin) are allowed. Browser clients must match the host.
 func checkWSOrigin(r *http.Request) bool {
 	origin := r.Header.Get("Origin")
 	if origin == "" {
 		return true
 	}
 	host := r.Host
 	if host == "" {
 		return false
 	}
 	if idx := strings.LastIndex(host, ":"); idx != -1 {
 		host = host[:idx]
 	}
 	parsed, err := url.Parse(origin)
 	if err != nil {
 		return false
 	}
 	originHost := parsed.Hostname()
 	return originHost == host || strings.HasSuffix(originHost, "."+host)
 }
 // wsClient wraps a WebSocket connection with message handling
--- a/pkg/gateway/handlers/serverless/ws_handler.go
+++ b/pkg/gateway/handlers/serverless/ws_handler.go
@ -4,6 +4,8 @@ import (
 	"context"
 	"encoding/json"
 	"net/http"
 	"net/url"
 	"strings"
 	"time"
 	"github.com/DeBrosOfficial/network/pkg/serverless"
@ -12,6 +14,29 @@ import (
 	"go.uber.org/zap"
 )
 // checkWSOrigin validates WebSocket origins against the request's Host header.
 // Non-browser clients (no Origin) are allowed. Browser clients must match the host.
 func checkWSOrigin(r *http.Request) bool {
 	origin := r.Header.Get("Origin")
 	if origin == "" {
 		return true
 	}
 	host := r.Host
 	if host == "" {
 		return false
 	}
 	// Strip port from host if present
 	if idx := strings.LastIndex(host, ":"); idx != -1 {
 		host = host[:idx]
 	}
 	parsed, err := url.Parse(origin)
 	if err != nil {
 		return false
 	}
 	originHost := parsed.Hostname()
 	return originHost == host || strings.HasSuffix(originHost, "."+host)
 }
 // HandleWebSocket handles WebSocket connections for function streaming.
 // It upgrades HTTP connections to WebSocket and manages bi-directional communication
 // for real-time function invocation and streaming responses.
@ -28,7 +53,7 @@ func (h *ServerlessHandlers) HandleWebSocket(w http.ResponseWriter, r *http.Requ
 	// Upgrade to WebSocket
 	upgrader := websocket.Upgrader{
-		CheckOrigin: func(r *http.Request) bool { return true },
+		CheckOrigin: checkWSOrigin,
 	}
 	conn, err := upgrader.Upgrade(w, r, nil)
--- a/pkg/gateway/handlers/wireguard/handler.go
+++ b/pkg/gateway/handlers/wireguard/handler.go
@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/http"
 	"github.com/DeBrosOfficial/network/pkg/auth"
 	"github.com/DeBrosOfficial/network/pkg/rqlite"
 	"go.uber.org/zap"
 )
@ -129,6 +130,11 @@ func (h *Handler) HandleListPeers(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if !h.validateInternalRequest(r) {
 		http.Error(w, "unauthorized", http.StatusForbidden)
 		return
 	}
 	peers, err := h.ListPeers(r.Context())
 	if err != nil {
 		h.logger.Error("failed to list WG peers", zap.Error(err))
@ -147,6 +153,11 @@ func (h *Handler) HandleRemovePeer(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if !h.validateInternalRequest(r) {
 		http.Error(w, "unauthorized", http.StatusForbidden)
 		return
 	}
 	nodeID := r.URL.Query().Get("node_id")
 	if nodeID == "" {
 		http.Error(w, "node_id parameter required", http.StatusBadRequest)
@ -165,6 +176,18 @@ func (h *Handler) HandleRemovePeer(w http.ResponseWriter, r *http.Request) {
 	h.logger.Info("removed WireGuard peer", zap.String("node_id", nodeID))
 }
 // validateInternalRequest checks that the request comes from a WireGuard peer
 // and includes a valid cluster secret. Both conditions must be met.
 func (h *Handler) validateInternalRequest(r *http.Request) bool {
 	if !auth.IsWireGuardPeer(r.RemoteAddr) {
 		return false
 	}
 	if h.clusterSecret == "" {
 		return true
 	}
 	return r.Header.Get("X-Cluster-Secret") == h.clusterSecret
 }
 // ListPeers returns all registered WireGuard peers
 func (h *Handler) ListPeers(ctx context.Context) ([]PeerRecord, error) {
 	var peers []PeerRecord
--- a/pkg/gateway/middleware.go
+++ b/pkg/gateway/middleware.go
@ -74,7 +74,11 @@ func (g *Gateway) validateAuthForNamespaceProxy(r *http.Request) (namespace stri
 // lookupAPIKeyNamespace resolves an API key to its namespace using cache and DB.
 // dbClient controls which database is queried (global vs namespace-specific).
 // Returns the namespace name or an error if the key is invalid.
 //
 // Dual lookup strategy for rolling upgrade: tries HMAC-hashed key first (new keys),
 // then falls back to raw key lookup (existing unhashed keys during transition).
 func (g *Gateway) lookupAPIKeyNamespace(ctx context.Context, key string, dbClient client.NetworkClient) (string, error) {
 	// Cache uses raw key as cache key (in-memory only, never persisted)
 	if g.mwCache != nil {
 		if cachedNS, ok := g.mwCache.GetAPIKeyNamespace(key); ok {
 			return cachedNS, nil
@ -84,21 +88,34 @@ func (g *Gateway) lookupAPIKeyNamespace(ctx context.Context, key string, dbClien
 	db := dbClient.Database()
 	internalCtx := client.WithInternalAuth(ctx)
 	q := "SELECT namespaces.name FROM api_keys JOIN namespaces ON api_keys.namespace_id = namespaces.id WHERE api_keys.key = ? LIMIT 1"
 	res, err := db.Query(internalCtx, q, key)
 	if err != nil || res == nil || res.Count == 0 || len(res.Rows) == 0 || len(res.Rows[0]) == 0 {
 		return "", fmt.Errorf("invalid API key")
 	}
 	ns := getString(res.Rows[0][0])
 	if ns == "" {
 		return "", fmt.Errorf("invalid API key")
 	}
 	// Try HMAC-hashed lookup first (new keys stored as hashes)
 	hashedKey := g.authService.HashAPIKey(key)
 	res, err := db.Query(internalCtx, q, hashedKey)
 	if err == nil && res != nil && res.Count > 0 && len(res.Rows) > 0 && len(res.Rows[0]) > 0 {
 		if ns := getString(res.Rows[0][0]); ns != "" {
 			if g.mwCache != nil {
 				g.mwCache.SetAPIKeyNamespace(key, ns)
 			}
 			return ns, nil
 		}
 	}
 	// Fallback: try raw key lookup (existing unhashed keys during rolling upgrade)
 	if hashedKey != key {
 		res, err = db.Query(internalCtx, q, key)
 		if err == nil && res != nil && res.Count > 0 && len(res.Rows) > 0 && len(res.Rows[0]) > 0 {
 			if ns := getString(res.Rows[0][0]); ns != "" {
 				if g.mwCache != nil {
 					g.mwCache.SetAPIKeyNamespace(key, ns)
 				}
 				return ns, nil
 			}
 		}
 	}
 	return "", fmt.Errorf("invalid API key")
 }
 // isWebSocketUpgrade checks if the request is a WebSocket upgrade request
 func isWebSocketUpgrade(r *http.Request) bool {
--- a/pkg/gateway/rate_limiter.go
+++ b/pkg/gateway/rate_limiter.go
@ -6,13 +6,15 @@ import (
 	"strings"
 	"sync"
 	"time"
 	"github.com/DeBrosOfficial/network/pkg/auth"
 )
 // wireGuardNet is the WireGuard mesh subnet, parsed once at init.
 var wireGuardNet *net.IPNet
 func init() {
-	_, wireGuardNet, _ = net.ParseCIDR("10.0.0.0/8")
+	_, wireGuardNet, _ = net.ParseCIDR(auth.WireGuardSubnet)
 }
 // RateLimiter implements a token-bucket rate limiter per client IP.
@ -126,7 +128,7 @@ func (nrl *NamespaceRateLimiter) Allow(namespace string) bool {
 }
 // rateLimitMiddleware returns 429 when a client exceeds the rate limit.
-// Internal traffic from the WireGuard subnet (10.0.0.0/8) is exempt.
+// Internal traffic from the WireGuard subnet is exempt.
 func (g *Gateway) rateLimitMiddleware(next http.Handler) http.Handler {
 	if g.rateLimiter == nil {
 		return next
@ -170,7 +172,7 @@ func (g *Gateway) namespaceRateLimitMiddleware(next http.Handler) http.Handler {
 	})
 }
-// isInternalIP returns true if the IP is in the WireGuard 10.0.0.0/8 subnet
+// isInternalIP returns true if the IP is in the WireGuard subnet
 // or is a loopback address.
 func isInternalIP(ipStr string) bool {
 	// Strip port if present
@ -187,6 +189,5 @@ func isInternalIP(ipStr string) bool {
 	if ip.IsLoopback() {
 		return true
 	}
 	// 10.0.0.0/8 — WireGuard mesh
 	return wireGuardNet.Contains(ip)
 }
--- a/pkg/gateway/rate_limiter_test.go
+++ b/pkg/gateway/rate_limiter_test.go
@ -98,7 +98,9 @@ func TestIsInternalIP(t *testing.T) {
 	}{
 		{"10.0.0.1", true},
 		{"10.0.0.254", true},
-		{"10.255.255.255", true},
+		{"10.0.0.255", true},
 		{"10.0.1.1", false},      // outside /24 — VPS provider's internal range, not our WG mesh
 		{"10.255.255.255", false}, // outside /24
 		{"127.0.0.1", true},
 		{"192.168.1.1", false},
 		{"8.8.8.8", false},
--- a/pkg/ipfs/cluster.go
+++ b/pkg/ipfs/cluster.go
@ -1,6 +1,7 @@
 package ipfs
 import (
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"os"
@ -19,6 +20,7 @@ type ClusterConfigManager struct {
 	logger           *zap.Logger
 	clusterPath      string
 	secret           string
 	trustedPeersPath string // path to ipfs-cluster-trusted-peers file
 }
 // NewClusterConfigManager creates a new IPFS Cluster config manager
@ -46,12 +48,14 @@ func NewClusterConfigManager(cfg *config.Config, logger *zap.Logger) (*ClusterCo
 	}
 	secretPath := filepath.Join(dataDir, "..", "cluster-secret")
 	trustedPeersPath := ""
 	if strings.Contains(dataDir, ".orama") {
 		home, err := os.UserHomeDir()
 		if err == nil {
 			secretsDir := filepath.Join(home, ".orama", "secrets")
 			if err := os.MkdirAll(secretsDir, 0700); err == nil {
 				secretPath = filepath.Join(secretsDir, "cluster-secret")
 				trustedPeersPath = filepath.Join(secretsDir, "ipfs-cluster-trusted-peers")
 			}
 		}
 	}
@ -66,6 +70,7 @@ func NewClusterConfigManager(cfg *config.Config, logger *zap.Logger) (*ClusterCo
 		logger:           logger,
 		clusterPath:      clusterPath,
 		secret:           secret,
 		trustedPeersPath: trustedPeersPath,
 	}, nil
 }
@ -114,7 +119,15 @@ func (cm *ClusterConfigManager) EnsureConfig() error {
 	cfg.Cluster.Secret = cm.secret
 	cfg.Cluster.ListenMultiaddress = []string{fmt.Sprintf("/ip4/0.0.0.0/tcp/%d", clusterListenPort)}
 	cfg.Consensus.CRDT.ClusterName = "orama-cluster"
 	// Use trusted peers from file if available, otherwise fall back to "*" (open trust)
 	trustedPeers := cm.loadTrustedPeersWithSelf()
 	if len(trustedPeers) > 0 {
 		cfg.Consensus.CRDT.TrustedPeers = trustedPeers
 	} else {
 		cfg.Consensus.CRDT.TrustedPeers = []string{"*"}
 	}
 	cfg.API.RestAPI.HTTPListenMultiaddress = fmt.Sprintf("/ip4/0.0.0.0/tcp/%d", restAPIPort)
 	cfg.API.IPFSProxy.ListenMultiaddress = fmt.Sprintf("/ip4/127.0.0.1/tcp/%d", proxyPort)
 	cfg.API.IPFSProxy.NodeMultiaddress = fmt.Sprintf("/ip4/127.0.0.1/tcp/%d", ipfsPort)
@ -198,3 +211,89 @@ func (cm *ClusterConfigManager) createTemplateConfig() *ClusterServiceConfig {
 	cfg.Raw = make(map[string]interface{})
 	return cfg
 }
 // readClusterPeerID reads this node's IPFS Cluster peer ID from identity.json
 func (cm *ClusterConfigManager) readClusterPeerID() (string, error) {
 	identityPath := filepath.Join(cm.clusterPath, "identity.json")
 	data, err := os.ReadFile(identityPath)
 	if err != nil {
 		return "", fmt.Errorf("failed to read identity.json: %w", err)
 	}
 	var identity struct {
 		ID string `json:"id"`
 	}
 	if err := json.Unmarshal(data, &identity); err != nil {
 		return "", fmt.Errorf("failed to parse identity.json: %w", err)
 	}
 	if identity.ID == "" {
 		return "", fmt.Errorf("peer ID not found in identity.json")
 	}
 	return identity.ID, nil
 }
 // loadTrustedPeers reads trusted peer IDs from the trusted-peers file (one per line)
 func (cm *ClusterConfigManager) loadTrustedPeers() []string {
 	if cm.trustedPeersPath == "" {
 		return nil
 	}
 	data, err := os.ReadFile(cm.trustedPeersPath)
 	if err != nil {
 		return nil
 	}
 	var peers []string
 	for _, line := range strings.Split(strings.TrimSpace(string(data)), "\n") {
 		line = strings.TrimSpace(line)
 		if line != "" {
 			peers = append(peers, line)
 		}
 	}
 	return peers
 }
 // addTrustedPeer appends a peer ID to the trusted-peers file if not already present
 func (cm *ClusterConfigManager) addTrustedPeer(peerID string) error {
 	if cm.trustedPeersPath == "" || peerID == "" {
 		return nil
 	}
 	existing := cm.loadTrustedPeers()
 	for _, p := range existing {
 		if p == peerID {
 			return nil // already present
 		}
 	}
 	existing = append(existing, peerID)
 	return os.WriteFile(cm.trustedPeersPath, []byte(strings.Join(existing, "\n")+"\n"), 0600)
 }
 // loadTrustedPeersWithSelf loads trusted peers from file and ensures this node's
 // own peer ID is included. Returns nil if no trusted peers file exists.
 func (cm *ClusterConfigManager) loadTrustedPeersWithSelf() []string {
 	peers := cm.loadTrustedPeers()
 	// Try to read own peer ID and add it
 	ownID, err := cm.readClusterPeerID()
 	if err != nil {
 		cm.logger.Debug("Could not read own IPFS Cluster peer ID", zap.Error(err))
 		return peers
 	}
 	if ownID != "" {
 		if err := cm.addTrustedPeer(ownID); err != nil {
 			cm.logger.Warn("Failed to persist own peer ID to trusted peers file", zap.Error(err))
 		}
 		// Check if already in the list
 		found := false
 		for _, p := range peers {
 			if p == ownID {
 				found = true
 				break
 			}
 		}
 		if !found {
 			peers = append(peers, ownID)
 		}
 	}
 	return peers
 }
--- a/pkg/namespace/cluster_manager.go
+++ b/pkg/namespace/cluster_manager.go
@ -34,6 +34,11 @@ type ClusterManagerConfig struct {
 	IPFSAPIURL            string        // IPFS API URL (default: "http://localhost:4501")
 	IPFSTimeout           time.Duration // Timeout for IPFS operations (default: 60s)
 	IPFSReplicationFactor int           // IPFS replication factor (default: 3)
 	// TurnEncryptionKey is a 32-byte AES-256 key for encrypting TURN shared secrets
 	// in RQLite. Derived from cluster secret via HKDF(clusterSecret, "turn-encryption").
 	// If nil, TURN secrets are stored in plaintext (backward compatibility).
 	TurnEncryptionKey []byte
 }
 // ClusterManager orchestrates namespace cluster provisioning and lifecycle
@ -58,6 +63,9 @@ type ClusterManager struct {
 	// Local node identity for distributed spawning
 	localNodeID string
 	// AES-256 key for encrypting TURN secrets in RQLite (nil = plaintext)
 	turnEncryptionKey []byte
 	// Track provisioning operations
 	provisioningMu sync.RWMutex
 	provisioning   map[string]bool // namespace -> in progress
@ -108,6 +116,7 @@ func NewClusterManager(
 		ipfsAPIURL:            ipfsAPIURL,
 		ipfsTimeout:           ipfsTimeout,
 		ipfsReplicationFactor: ipfsReplicationFactor,
 		turnEncryptionKey:     cfg.TurnEncryptionKey,
 		logger:                logger.With(zap.String("component", "cluster-manager")),
 		provisioning:          make(map[string]bool),
 	}
@ -154,6 +163,7 @@ func NewClusterManagerWithComponents(
 		ipfsAPIURL:            ipfsAPIURL,
 		ipfsTimeout:           ipfsTimeout,
 		ipfsReplicationFactor: ipfsReplicationFactor,
 		turnEncryptionKey:     cfg.TurnEncryptionKey,
 		logger:                logger.With(zap.String("component", "cluster-manager")),
 		provisioning:          make(map[string]bool),
 	}
--- a/pkg/namespace/cluster_manager_webrtc.go
+++ b/pkg/namespace/cluster_manager_webrtc.go
@ -9,6 +9,7 @@ import (
 	"github.com/DeBrosOfficial/network/pkg/client"
 	"github.com/DeBrosOfficial/network/pkg/gateway"
 	"github.com/DeBrosOfficial/network/pkg/secrets"
 	"github.com/DeBrosOfficial/network/pkg/sfu"
 	"github.com/google/uuid"
 	"go.uber.org/zap"
@ -51,13 +52,23 @@ func (cm *ClusterManager) EnableWebRTC(ctx context.Context, namespaceName, enabl
 	}
 	turnSecret := base64.StdEncoding.EncodeToString(secretBytes)
 	// Encrypt TURN secret before storing in RQLite
 	storedSecret := turnSecret
 	if cm.turnEncryptionKey != nil {
 		encrypted, encErr := secrets.Encrypt(turnSecret, cm.turnEncryptionKey)
 		if encErr != nil {
 			return fmt.Errorf("failed to encrypt TURN secret: %w", encErr)
 		}
 		storedSecret = encrypted
 	}
 	// 4. Insert namespace_webrtc_config
 	webrtcConfigID := uuid.New().String()
 	_, err = cm.db.Exec(internalCtx,
 		`INSERT INTO namespace_webrtc_config (id, namespace_cluster_id, namespace_name, enabled, turn_shared_secret, turn_credential_ttl, sfu_node_count, turn_node_count, enabled_by, enabled_at)
 		 VALUES (?, ?, ?, 1, ?, ?, ?, ?, ?, ?)`,
 		webrtcConfigID, cluster.ID, namespaceName,
-		turnSecret, DefaultTURNCredentialTTL,
+		storedSecret, DefaultTURNCredentialTTL,
 		DefaultSFUNodeCount, DefaultTURNNodeCount,
 		enabledBy, time.Now(),
 	)
@ -297,6 +308,7 @@ func (cm *ClusterManager) DisableWebRTC(ctx context.Context, namespaceName strin
 }
 // GetWebRTCConfig returns the WebRTC configuration for a namespace.
 // Transparently decrypts the TURN shared secret if it was encrypted at rest.
 func (cm *ClusterManager) GetWebRTCConfig(ctx context.Context, namespaceName string) (*WebRTCConfig, error) {
 	internalCtx := client.WithInternalAuth(ctx)
@ -309,6 +321,16 @@ func (cm *ClusterManager) GetWebRTCConfig(ctx context.Context, namespaceName str
 	if len(configs) == 0 {
 		return nil, nil
 	}
 	// Decrypt TURN secret if encrypted (handles plaintext passthrough for backward compat)
 	if cm.turnEncryptionKey != nil && secrets.IsEncrypted(configs[0].TURNSharedSecret) {
 		decrypted, decErr := secrets.Decrypt(configs[0].TURNSharedSecret, cm.turnEncryptionKey)
 		if decErr != nil {
 			return nil, fmt.Errorf("failed to decrypt TURN secret: %w", decErr)
 		}
 		configs[0].TURNSharedSecret = decrypted
 	}
 	return &configs[0], nil
 }
--- a/pkg/node/gateway.go
+++ b/pkg/node/gateway.go
@ -6,6 +6,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 	"github.com/DeBrosOfficial/network/pkg/gateway"
@ -13,6 +14,7 @@ import (
 	"github.com/DeBrosOfficial/network/pkg/ipfs"
 	"github.com/DeBrosOfficial/network/pkg/logging"
 	"github.com/DeBrosOfficial/network/pkg/namespace"
 	"github.com/DeBrosOfficial/network/pkg/secrets"
 	"go.uber.org/zap"
 )
@ -44,6 +46,18 @@ func (n *Node) startHTTPGateway(ctx context.Context) error {
 		clusterSecret = string(secretBytes)
 	}
 	// Read API key HMAC secret for hashing API keys before storage
 	apiKeyHMACSecret := ""
 	if secretBytes, err := os.ReadFile(filepath.Join(oramaDir, "secrets", "api-key-hmac-secret")); err == nil {
 		apiKeyHMACSecret = strings.TrimSpace(string(secretBytes))
 	}
 	// Read RQLite credentials for authenticated DB connections
 	rqlitePassword := ""
 	if secretBytes, err := os.ReadFile(filepath.Join(oramaDir, "secrets", "rqlite-password")); err == nil {
 		rqlitePassword = strings.TrimSpace(string(secretBytes))
 	}
 	gwCfg := &gateway.Config{
 		ListenAddr:           n.config.HTTPGateway.ListenAddr,
 		ClientNamespace:      n.config.HTTPGateway.ClientNamespace,
@ -57,7 +71,10 @@ func (n *Node) startHTTPGateway(ctx context.Context) error {
 		IPFSTimeout:          n.config.HTTPGateway.IPFSTimeout,
 		BaseDomain:           n.config.HTTPGateway.BaseDomain,
 		DataDir:              oramaDir,
 		RQLiteUsername:       "orama",
 		RQLitePassword:       rqlitePassword,
 		ClusterSecret:        clusterSecret,
 		APIKeyHMACSecret:     apiKeyHMACSecret,
 		WebRTCEnabled:        n.config.HTTPGateway.WebRTC.Enabled,
 		SFUPort:              n.config.HTTPGateway.WebRTC.SFUPort,
 		TURNDomain:           n.config.HTTPGateway.WebRTC.TURNDomain,
@ -73,6 +90,14 @@ func (n *Node) startHTTPGateway(ctx context.Context) error {
 	// Wire up ClusterManager for per-namespace cluster provisioning
 	if ormClient := apiGateway.GetORMClient(); ormClient != nil {
 		baseDataDir := filepath.Join(os.ExpandEnv(n.config.Node.DataDir), "..", "data", "namespaces")
 		// Derive TURN encryption key from cluster secret (nil if no secret available)
 		var turnEncKey []byte
 		if clusterSecret != "" {
 			if key, keyErr := secrets.DeriveKey(clusterSecret, "turn-encryption"); keyErr == nil {
 				turnEncKey = key
 			}
 		}
 		clusterCfg := namespace.ClusterManagerConfig{
 			BaseDomain:            n.config.HTTPGateway.BaseDomain,
 			BaseDataDir:           baseDataDir,
@ -81,6 +106,7 @@ func (n *Node) startHTTPGateway(ctx context.Context) error {
 			IPFSAPIURL:            gwCfg.IPFSAPIURL,
 			IPFSTimeout:           gwCfg.IPFSTimeout,
 			IPFSReplicationFactor: n.config.Database.IPFS.ReplicationFactor,
 			TurnEncryptionKey:     turnEncKey,
 		}
 		clusterManager := namespace.NewClusterManager(ormClient, clusterCfg, n.logger.Logger)
 		clusterManager.SetLocalNodeID(gwCfg.NodePeerID)
--- a/pkg/rqlite/adapter.go
+++ b/pkg/rqlite/adapter.go
@ -16,8 +16,13 @@ type RQLiteAdapter struct {
 // NewRQLiteAdapter creates a new adapter that provides sql.DB interface for RQLite
 func NewRQLiteAdapter(manager *RQLiteManager) (*RQLiteAdapter, error) {
-	// Use the gorqlite database/sql driver
+	// Build DSN with optional basic auth credentials
-	db, err := sql.Open("rqlite", fmt.Sprintf("http://localhost:%d?disableClusterDiscovery=true&level=none", manager.config.RQLitePort))
+	dsn := fmt.Sprintf("http://localhost:%d?disableClusterDiscovery=true&level=none", manager.config.RQLitePort)
 	if manager.config.RQLiteUsername != "" && manager.config.RQLitePassword != "" {
 		dsn = fmt.Sprintf("http://%s:%s@localhost:%d?disableClusterDiscovery=true&level=none",
 			manager.config.RQLiteUsername, manager.config.RQLitePassword, manager.config.RQLitePort)
 	}
 	db, err := sql.Open("rqlite", dsn)
 	if err != nil {
 		return nil, fmt.Errorf("failed to open RQLite SQL connection: %w", err)
 	}
--- a/pkg/rqlite/instance_spawner.go
+++ b/pkg/rqlite/instance_spawner.go
@ -31,6 +31,7 @@ type InstanceConfig struct {
 	JoinAddresses  []string // Addresses to join (e.g., ["192.168.1.2:10001"])
 	DataDir        string   // Data directory for this instance
 	IsLeader       bool     // Whether this is the first node (creates cluster)
 	AuthFile       string   // Path to RQLite auth JSON file. Empty = no auth enforcement.
 }
 // Instance represents a running RQLite instance
@ -91,6 +92,11 @@ func (is *InstanceSpawner) SpawnInstance(ctx context.Context, cfg InstanceConfig
 		"-raft-leader-lease-timeout", "2s",
 	)
 	// RQLite HTTP Basic Auth
 	if cfg.AuthFile != "" {
 		args = append(args, "-auth", cfg.AuthFile)
 	}
 	// Add join addresses if not the leader (must be before data directory)
 	if !cfg.IsLeader && len(cfg.JoinAddresses) > 0 {
 		for _, addr := range cfg.JoinAddresses {
--- a/pkg/rqlite/process.go
+++ b/pkg/rqlite/process.go
@ -137,6 +137,13 @@ func (r *RQLiteManager) launchProcess(ctx context.Context, rqliteDataDir string)
 		"-raft-leader-lease-timeout", raftLeaderLease.String(),
 	)
 	// RQLite HTTP Basic Auth — when auth file exists, enforce authentication
 	if r.config.RQLiteAuthFile != "" {
 		r.logger.Info("Enabling RQLite HTTP Basic Auth",
 			zap.String("auth_file", r.config.RQLiteAuthFile))
 		args = append(args, "-auth", r.config.RQLiteAuthFile)
 	}
 	if r.config.RQLiteJoinAddress != "" && !r.hasExistingState(rqliteDataDir) {
 		r.logger.Info("First-time join to RQLite cluster", zap.String("join_address", r.config.RQLiteJoinAddress))
--- a/pkg/secrets/encrypt.go
+++ b/pkg/secrets/encrypt.go
@ -0,0 +1,98 @@
 // Package secrets provides application-level encryption for sensitive data stored in RQLite.
 // Uses AES-256-GCM with HKDF key derivation from the cluster secret.
 package secrets
 import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
 	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
 	"io"
 	"strings"
 	"golang.org/x/crypto/hkdf"
 )
 // Prefix for encrypted values to distinguish from plaintext during migration.
 const encryptedPrefix = "enc:"
 // DeriveKey derives a 32-byte AES-256 key from the cluster secret using HKDF-SHA256.
 // The purpose string provides domain separation (e.g., "turn-encryption").
 func DeriveKey(clusterSecret, purpose string) ([]byte, error) {
 	if clusterSecret == "" {
 		return nil, fmt.Errorf("cluster secret is empty")
 	}
 	reader := hkdf.New(sha256.New, []byte(clusterSecret), nil, []byte(purpose))
 	key := make([]byte, 32)
 	if _, err := io.ReadFull(reader, key); err != nil {
 		return nil, fmt.Errorf("HKDF key derivation failed: %w", err)
 	}
 	return key, nil
 }
 // Encrypt encrypts plaintext with AES-256-GCM using the given key.
 // Returns a base64-encoded string prefixed with "enc:" for identification.
 func Encrypt(plaintext string, key []byte) (string, error) {
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		return "", fmt.Errorf("failed to create cipher: %w", err)
 	}
 	gcm, err := cipher.NewGCM(block)
 	if err != nil {
 		return "", fmt.Errorf("failed to create GCM: %w", err)
 	}
 	nonce := make([]byte, gcm.NonceSize())
 	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
 		return "", fmt.Errorf("failed to generate nonce: %w", err)
 	}
 	// nonce is prepended to ciphertext
 	ciphertext := gcm.Seal(nonce, nonce, []byte(plaintext), nil)
 	return encryptedPrefix + base64.StdEncoding.EncodeToString(ciphertext), nil
 }
 // Decrypt decrypts an "enc:"-prefixed ciphertext string with AES-256-GCM.
 // If the input is not prefixed with "enc:", it is returned as-is (plaintext passthrough
 // for backward compatibility during migration).
 func Decrypt(ciphertext string, key []byte) (string, error) {
 	if !strings.HasPrefix(ciphertext, encryptedPrefix) {
 		return ciphertext, nil // plaintext passthrough
 	}
 	data, err := base64.StdEncoding.DecodeString(strings.TrimPrefix(ciphertext, encryptedPrefix))
 	if err != nil {
 		return "", fmt.Errorf("failed to decode ciphertext: %w", err)
 	}
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		return "", fmt.Errorf("failed to create cipher: %w", err)
 	}
 	gcm, err := cipher.NewGCM(block)
 	if err != nil {
 		return "", fmt.Errorf("failed to create GCM: %w", err)
 	}
 	nonceSize := gcm.NonceSize()
 	if len(data) < nonceSize {
 		return "", fmt.Errorf("ciphertext too short")
 	}
 	nonce, sealed := data[:nonceSize], data[nonceSize:]
 	plaintext, err := gcm.Open(nil, nonce, sealed, nil)
 	if err != nil {
 		return "", fmt.Errorf("decryption failed (wrong key or corrupted data): %w", err)
 	}
 	return string(plaintext), nil
 }
 // IsEncrypted returns true if the value has the "enc:" prefix.
 func IsEncrypted(value string) bool {
 	return strings.HasPrefix(value, encryptedPrefix)
 }