Example
Ifgateway.auth.mode is off, the audit will flag it as a critical issue and suggest switching to token auth.
IMPORTANT: Read this before running the audit
Security posture, pairing rules, and recommended setups are covered in Security and pairing. This document focuses on the audit command output.Secure-by-default defaults
Moldable ships with secure defaults and expects you to opt in to higher-risk settings only when you understand the tradeoffs.- Public access is off by default and requires TLS if you opt in.
Run the audit
Apply safe fixes
--fix applies safe config changes and tightens local file permissions.
What it checks
- Config file and state directory presence
- Auth disabled (unsupported)
- TLS disabled on non-loopback binds
- Public access without TLS
- Missing auth token
- HTTP auth token requirements for HTTP endpoints
- Channel credentials or tokens missing/default
- Channel credentials and open DM policies without allowlist
- WhatsApp verify token
- Group policy disabled
- Node pairing not required
- Safety prompt disabled or metadata redaction off
- Permissions on config/state/data directories (chmod 600/700)