Jallarhorn
Security

Security

How Jallarhorn™ is built. What is enforced in code today, and what we do not yet claim. We list gaps with the same weight as strengths, because "not yet" is the honest answer more often than any security page admits.

Authentication

JWT HS256 sessions with a 256-bit signing secret. On sign-in the token is set in an httpOnly, Secure, SameSite cookie; the single-page app also keeps a copy in localStorage for XHR Authorization headers (moving to cookie-only is on our hardening list). Passwords are hashed with bcrypt at a current cost factor. The shared-secret ingest path uses constant-time comparison; per-sensor API keys are stored only as SHA-256 hashes and matched by hash.

Transport

TLS on every public endpoint, terminated by Caddy with automatic certificate management. HSTS with a 1-year max-age, includeSubDomains, and the preload directive set. Modern cipher suites only; no TLS 1.0/1.1. Farm-to-control links authenticate with a shared secret over TLS; mutual-TLS client certificates are on the roadmap.

Data at rest

All persistent data lives on encrypted VPS disks. Database credentials are scoped per service. Metric data is tenant-scoped in every query path; cross-tenant access returns 9999 forbidden at the stored-procedure layer, not just in the route handler.

API keys

Only the SHA-256 hash of an API key is stored server-side. The plaintext is shown exactly once, at creation. Keys are scoped to a tenant and a set of permissions, and they are revocable from the UI and the API. Lookups are by hash; the plaintext key never touches the database.

Supply chain

Every release artifact is signed with cosign using our release key (key-based, not a third-party transparency log); the public key is at jallarhorn.com/cosign.pub. SPDX SBOMs are produced by syft and published next to each artifact. Verification instructions are in the download docs. Container images on jallarhorn.com are signed with the same key.

SSO — every plan

LDAP with group-to-role mapping. SAML tested against Entra ID, Okta, and Google Workspace with six-claim attribute mapping. OIDC for any compliant provider. No SAML-is-an-upsell pricing — SSO is included on every plan, Free included.

Audit logs

Authentication events, configuration changes, and admin actions are written to an audit table. Append-only checksum-chained storage is on the roadmap. Operators can export the audit log on demand via the REST API.

Rate limiting

Per-tenant and per-IP token buckets on the auth routes and on the write paths. Login throttling with exponential back-off on failure. Notification dispatch has its own quota to prevent runaway alert loops.

Invite-only registration

Hosted Jallarhorn does not offer open signup at the tenant level. Tenants are provisioned at purchase; users are invited by an admin with a scoped role and an expiring invite token. Self-hosted installs follow the same pattern by default.

What we do not yet have

We would rather be honest about gaps than market around them.

  • No SOC 2 attestation. We have not run a SOC 2 Type II audit. We also have not started a gap analysis with Vanta or Drata. If your procurement requires SOC 2, Jallarhorn does not meet that bar today.
  • No HIPAA BAA. Trellis Digital Services LLC does not sign Business Associate Agreements. Jallarhorn is not a HIPAA-compliant offering. Self-host if you need ePHI isolation.
  • No completed third-party penetration test report. Internal review and dependency scanning happen on every release; a public pentest attestation is on the roadmap but unscheduled.
  • No append-only audit log yet. Audit rows are in a regular relational table. Checksum-chained append-only storage is tracked as a Q3 2026 item.
  • No scale benchmark. We have not published a 5,000-sensor or 100,000-device load test. Claims you see elsewhere in the space are usually unverified; ours will be published with the workload and hardware specification when they are measured.

Open-source components

Jallarhorn stands on a long list of open-source projects. The table below lists every direct runtime dependency with its license. A full SPDX SBOM is published for every tagged release and attached to the GitHub release artifacts (run syft against the Jallarhorn Docker image if you need to verify the claim yourself). Transitive dependencies are covered by the same SBOM.

Component Role License
PostgreSQL 16Primary store for accounts, alerts, devices, configPostgreSQL (permissive)
TimescaleDB CommunityTime-series hypertables for metricsApache 2.0 (Community Edition)
NATS + JetStreamSensor-to-control event queue, durable consumersApache 2.0
Standard runtimeAll three executables (control, sensor, farm) ship as single static binariesBSD-3-Clause
GinHTTP router inside jallarhorn-controlMIT
pgx/v5PostgreSQL driverMIT
bboltEmbedded key-value store for sensor WALMIT
Payment processor SDKBilling integrationMIT
SAML, OIDC, LDAP librariesSSO providers (SAML, OIDC, LDAP)BSD-2-Clause / Apache 2.0 / MIT
gosnmp, gopacket, pro-bingSNMP, packet capture, ICMPBSD-3-Clause / MIT
gofpdfSLA PDF report generationMIT
cosign + syftRelease signing and SBOM generationApache 2.0
React 18 + TypeScriptDashboard SPAMIT
ViteDashboard build toolMIT
recharts, @xyflow/react, leafletCharts, topology graphs, maps in the DashboardMIT
LucideIcon set (the only icon library Jallarhorn uses)ISC
Inter, Space GroteskTypography (via Google Fonts)SIL Open Font License 1.1

A corrected or amended list can be requested via support@jallarhorn.com.

Report a vulnerability

Email support@jallarhorn.com. We acknowledge within one business day, set a disclosure timeline with you, and credit you in the release notes if you want the credit.