Owner: Darrell Buttigieg
All Rights Reserved
Agent Amigos is designed to run entirely locally with no external access:
- Backend:
http://127.0.0.1:8080(localhost only) - Frontend:
http://localhost:5174(localhost only) - No remote connections are allowed or supported
- CORS is restricted to localhost origins only
- No external domains can access the API
When going live, access must be limited to paid subscribers only. The plan below provides layered controls (identity, API enforcement, and operational guardrails).
- Frontend gate: Require sign-in (subscriber account) before exposing the app UI.
- API gate: Enforce a server-side token for all non-public endpoints.
Backend switch:
AMIGOS_SUBSCRIBER_GATING=trueAMIGOS_SUBSCRIBER_TOKEN=<strong-random-token>
All protected endpoints require X-Subscriber-Token (or Authorization: Bearer <token>).
Public endpoints remain limited to marketing and public metrics only.
- Enforce HTTPS only (TLS) for the API and frontend.
- Redirect all HTTP to HTTPS at the hosting layer.
- Restrict API access to the production frontend origin(s).
- If possible, add IP allowlists for admin access.
- Rate-limit authentication and sensitive endpoints.
- Add basic WAF rules for common abuse patterns.
- Log authentication failures and unusual request spikes.
- Track subscriber access with request IDs for incident response.
- Store subscriber data encrypted at rest.
- Rotate tokens and keys on a scheduled basis.
Go-live gate: Do not enable production traffic until the subscriber-only gate is enabled and validated with a non-subscriber test.
| Protection | Status |
|---|---|
| Localhost binding | β Enforced |
| CORS restriction | β Enabled |
| No remote access | β Verified |
| Local data storage | β All files local |
| Sensitive files gitignored | β Configured |
.envfiles (API keys)*.pem,*.key(certificates)credentials.json,secrets.json*.db,*.sqlite(databases)- Log files with sensitive data
Add these to your VS Code settings.json for enhanced security:
{
"security.workspace.trust.enabled": true,
"security.workspace.trust.untrustedFiles": "prompt",
"security.allowedUNCHosts": [],
"remote.downloadExtensionsLocally": true,
"terminal.integrated.allowWorkspaceConfiguration": false,
"git.autoRepositoryDetection": "subFolders",
"files.exclude": {
"**/.env": true,
"**/*.pem": true,
"**/credentials.json": true
}
}-
Start Backend:
cd backend python agent_init.pyVerify:
Running on http://127.0.0.1:8080 -
Start Frontend:
cd frontend npm run devVerify:
localhost:5174 -
Check Security Status:
- Click the π security button in the app header
- All checks should be β green
- Review any recommendations
- Store API keys in
.envfiles - Never commit API keys to git
- Use environment variables
- Firewall: Block inbound connections to ports 8080, 5174
- Use only on trusted networks
- Disable when not in use
- Restrict AgentAmigos folder access to your user only
- Don't run as Administrator unless necessary
- Click security button regularly
- Review console outputs for anomalies
- Check for unauthorized file access
If the security indicator turns red:
- Stop all services immediately
- Check console for error messages
- Review the security panel recommendations
- Verify no external processes are accessing files
- Restart services after fixing issues
If you suspect a security breach:
- Disconnect from network
- Stop all Agent Amigos processes
- Check logs for unauthorized access
- Rotate any exposed API keys
- Review file modification timestamps
This installation is owned and secured by:
Darrell Buttigieg
All files, configurations, and data in this project are the property of the owner. Unauthorized access, copying, or distribution is prohibited.
Last Updated: Auto-generated by Agent Amigos Security System