# MemorDesk - Full Documentation > MemorDesk is an AI meeting assistant that auto-records, transcribes, and summarizes > Zoom, Google Meet, and Microsoft Teams meetings. Its built-in AI assistant, Kojo, > answers questions about meetings, action items, and decisions. This file contains the complete MemorDesk documentation in raw Markdown. MemorDesk has two front-ends sharing one account: - Desktop app at /dashboard (left sidebar navigation). - Mobile app at /m (bottom navigation bar: Home, Meetings, Kojo, Memory, Tasks). Navigation steps below give BOTH locations. Pick the one matching the user's device. Individual articles are also available at /docs/.md. ## Contents ### Getting Started - Getting Started with MemorDesk (/docs/getting-started.md): Create an account, connect a meeting, and let Kojo record and summarize it. - The Mobile App (/docs/mobile-app.md): How the /m mobile app is laid out: bottom nav, top bar, and bottom sheets. ### Meetings - Recording and Scheduling Meetings (/docs/recording-meetings.md): Send the AI note taker to a live call or schedule it for a future meeting. - Viewing, Exporting, and Sharing Meetings (/docs/viewing-meetings.md): Open a meeting, read the transcript, and export or share the summary. ### Intelligence - Using Kojo, the AI Assistant (/docs/kojo-assistant.md): Ask Kojo about your meetings, navigate the app, and tune how it responds. - Action Items and Decisions (/docs/action-items-decisions.md): Track tasks and decisions extracted automatically from your meetings. - Memory and Search (/docs/memory-and-search.md): Search everything across your meetings and add documents for Kojo to use. ### Account - Plans and Credits (/docs/plans-and-credits.md): How credits work and what each plan includes. - Settings Reference (/docs/settings.md): Where to find every setting on desktop and mobile. - Integrations and Developer API (/docs/integrations.md): Connect Google Calendar and Slack, and set up API keys and webhooks. - Workspaces and Teams (/docs/workspaces-and-teams.md): Personal vs team workspaces, inviting members, and stakeholder seats. ### Architecture - GraphRAG Memory Engine (/docs/graphrag-memory-engine.md): How MemorDesk builds a temporal knowledge graph from your meetings using vector embeddings, entity extraction, and bi-temporal relationship tracking. - Security Architecture (/docs/security-architecture.md): Dead refresh token circuit breakers, password forensics, credit holds, bot deduplication, IP allowlists, and intrusion detection. # Getting Started with MemorDesk MemorDesk auto-records, transcribes, and summarizes your meetings, then lets you ask **Kojo** (the built-in AI assistant) anything about them. There are two ways to use MemorDesk: - **Desktop app** at `/dashboard` - a full workspace with a left sidebar. - **Mobile app** at `/m` - a streamlined app with a bottom navigation bar. You sign in once; the app detects your device and routes you to the right experience. ## 1. Create your account 1. Go to [memordesk.com](https://memordesk.com) and choose **Sign Up**. 2. Continue with Google, or use email and password. 3. You start on the **Free** plan with a personal workspace. ## 2. Record your first meeting You do not install anything in the meeting. MemorDesk sends an AI note taker that joins the call. **Desktop:** Sidebar > **Meetings** > **Send Note Taker** card > paste the Zoom, Google Meet, or Microsoft Teams link > **Send Note Taker**. **Mobile:** Bottom nav > **Home** > **Quick** button > paste the meeting link > **Send Assistant**. The note taker joins, records, and generates a summary, action items, and decisions when the meeting ends. ## 3. Review the results Open the meeting from **Meetings** (desktop sidebar) or the **Meetings** tab (mobile bottom nav). Each meeting page has the summary, full transcript, action items, and decisions. ## 4. Ask Kojo Open Kojo and ask in plain language, for example "What did we decide about the budget?" or "What are my action items this week?". - **Desktop:** Sidebar > **Chat Kojo**. - **Mobile:** Tap the orange **Kojo** button in the centre of the bottom navigation bar. Navigation and how-to questions are free. Questions that analyze your meeting data use a small number of credits. ## Next steps - Connect your calendar so the note taker can auto-join: see [Integrations](/docs/integrations). - Learn the mobile app: see [The Mobile App](/docs/mobile-app). - Understand credits and plans: see [Plans and Credits](/docs/plans-and-credits). --- # The Mobile App The MemorDesk mobile app lives at `/m` and is built for quick actions on the go. It is a different layout from the desktop app, so the navigation steps below replace the desktop "left sidebar" instructions. ## Bottom navigation bar The bottom bar is always visible and has five items: | Item | Opens | Path | |------|-------|------| | **Home** | Your day: next meeting, upcoming, recent meetings | `/m` | | **Meetings** | All recorded meetings | `/m/meetings` | | **Kojo** (centre orange button) | The Kojo AI chat | `/m/assistant` | | **Memory** | Your knowledge base and documents | `/m/memory` | | **Tasks** | Action items and decisions | `/m/tasks` | ## Top bar - The **profile avatar** is on the **left**. Tap it to open **Profile** (credits, plan, integrations, sessions, sign out). - The **workspace chip** next to the avatar switches between Personal and Team workspaces. - The **top-right pill** holds, left to right: **Search**, **Theme toggle**, **Notifications**, and **Settings** (gear). ## Actions use bottom sheets Most actions slide up from the bottom as a sheet rather than opening a new page: - **Send the note taker:** Home > **Quick** button. - **Schedule a meeting:** Home > **Schedule** button. - **Change a task's status:** Tasks > tap the task > pick a status in the sheet. - **Switch workspace:** tap the workspace chip in the top bar. ## What opens the desktop view A few advanced screens do not have a dedicated mobile layout yet. Opening them from **Settings** (gear icon) loads the desktop page in your mobile browser: - Meeting Settings, Knowledge Base, Live Meetings, Developer Settings, and Workspace. Everything else is fully native to the mobile app. --- # Recording and Scheduling Meetings MemorDesk records meetings by sending an AI note taker (Kojo) into the call. It works with **Zoom**, **Google Meet**, and **Microsoft Teams**. ## Record a meeting happening now **Desktop:** Sidebar > **Meetings** > **Send Note Taker** card > paste the meeting URL > optional title > **Send Note Taker**. **Mobile:** Bottom nav > **Home** > **Quick** button > paste the meeting URL > **Send Assistant**. The note taker joins within a few seconds, records, and produces a summary, action items, and decisions after the meeting ends. ## Schedule for a future meeting **Desktop:** Sidebar > **Meetings** > **Schedule a Meeting** card > enter the URL, title, date, time, and timezone > optional recurrence and attendees > **Schedule Meeting**. **Mobile:** Bottom nav > **Home** > **Schedule** button > enter the URL, title, date, and time > **Schedule**. ## Auto-join from your calendar Connect Google Calendar (see [Integrations](/docs/integrations)) and MemorDesk lists your upcoming meetings. Toggle the assistant on or off per meeting: - **Desktop:** the **Upcoming Meetings** section on the Meetings page. - **Mobile:** the **Upcoming Meetings** list on the Home tab; use the switch on each card. ## Meeting length limits | Plan | Max length per meeting | |------|------------------------| | Free | 60 minutes | | Lite | 120 minutes | | Pro, Team, Business | Unlimited | See [Plans and Credits](/docs/plans-and-credits) for details. --- # Viewing, Exporting, and Sharing Meetings ## Open a meeting **Desktop:** Sidebar > **Meetings** > click a meeting card. Filter with the **Today / This Week / This Month** buttons or the search bar. **Mobile:** Bottom nav > **Meetings** > tap a meeting (or open one from **Recent Meetings** on the Home tab). Use the search icon in the top-right to find a specific meeting. Each meeting page shows the **summary**, full **transcript**, **action items**, and **decisions**. ## Export a meeting **Desktop:** Open the meeting > **Export** button in the top-right action bar > choose **PDF**, **DOCX**, **TXT**, **Markdown**, or **JSON** > choose whether to include the transcript. **Mobile:** Open the meeting > **Export** action > pick a format in the sheet. The file is saved or shared through your phone's share sheet. ## Share a meeting **Desktop:** Open the meeting > **Share** button > copy the public link (toggle whether it includes the transcript). **Mobile:** Open the meeting > **Share** action > copy the link or send it through the native share sheet. Anyone with the share link can view the summary without a MemorDesk account. ## Rename or delete **Desktop:** On the meeting page, hover the title and click the pencil to rename; use the three-dot menu to delete. Deletion is permanent. --- # Using Kojo, the AI Assistant **Kojo** is MemorDesk's meeting intelligence assistant. It answers questions about your meetings, finds action items, explains features, and navigates the app. ## Open Kojo - **Desktop:** Sidebar > **Chat Kojo** (`/dashboard/assistant`). - **Mobile:** the orange **Kojo** button in the centre of the bottom navigation bar (`/m/assistant`). ## What you can ask - "What did we decide about the launch date?" - "What are my open action items this week?" - "Summarize my meetings from this week." - "How do I export a meeting?" (navigation and how-to answers are free) ## Focus Kojo on one meeting or time range **Desktop:** in the chat input, use **Select Source** to pick a time range (Today / This Week / This Month) or a specific meeting. ## Conversations Your past chats are saved. - **Desktop:** the conversation list is in the left panel. Use the three-dot menu on a conversation to rename, pin, or delete it; **+ New Chat** starts a fresh one. - **Mobile:** open the **history drawer** (history icon top-left, or swipe in from the left edge). Use the three-dot menu to rename or delete; the **+** icon top-right starts a new chat. ## Tune how Kojo responds Open AI settings and adjust Response Style (Concise / Balanced / Thorough), Cite Sources, Follow-up Suggestions, Custom Vocabulary, Names and Aliases, and Custom Instructions. - **Desktop:** Settings > **AI** (`/dashboard/settings/ai`). - **Mobile:** Settings (gear icon) > **AI Customization** (`/m/profile/ai-settings`). ## Credits Each data question costs 1 to 3 credits depending on complexity and your Response Style. Navigation and how-to questions are free. See [Plans and Credits](/docs/plans-and-credits). --- # Action Items and Decisions MemorDesk extracts **action items** (tasks) and **decisions** from every meeting automatically. ## Action items **Desktop:** Sidebar > **Action Items** (`/dashboard/action-items`). Filter by status (All / Pending / In Progress / Completed / Overdue), by owner, or "My tasks only". To change a status, click the status badge on a row. **Mobile:** Bottom nav > **Tasks** (`/m/tasks`). The top tabs are **Tasks**, **Mine**, **By Meeting**, and **Decisions**. Use the status pills to filter and the search icon to find items. Tap a task to open its detail sheet and pick a new status (Open / In progress / Blocked / Done). Select multiple tasks with their checkboxes to bulk-update. You can send tasks to Slack from the task list once Slack is connected. ## Decisions Decisions are logged from your meeting summaries with a status: **Open**, **Implemented**, **Reversed**, or **Blocked**. **Desktop:** Sidebar > **Decisions** (`/dashboard/decisions`). Filter by status. **Mobile:** Bottom nav > **Tasks** > the **Decisions** tab. Tap a decision's status pill to cycle it. --- # Memory and Search Your **Memory** is the searchable knowledge built from all your meetings, plus any documents you upload. Under the hood, every meeting is processed into a knowledge graph -- see [GraphRAG Memory Engine](/docs/graphrag-memory-engine) for the full technical architecture. ## Browse memory - **Desktop:** Sidebar > **Memory** (`/dashboard/memory`). - **Mobile:** Bottom nav > **Memory** (`/m/memory`). ## Upload a document for Kojo **Desktop:** Memory page > **Upload Document** > pick a PDF, DOCX, or TXT file. **Mobile:** Memory tab > use the upload control > pick a file from your phone. Once uploaded, Kojo can reference the document's content when answering. ## Global search Search across meetings, action items, decisions, and notes. - **Desktop:** the search bar in the centre of the top bar. - **Mobile:** the search icon in the top-right pill of the top bar. ## What is indexed Control what is searchable in **Settings > Knowledge** (desktop) or **Settings (gear) > Knowledge Base** (mobile): meeting transcripts, action items, decisions, and cross-meeting insights. ## Memory window by plan How far back Kojo can draw from when answering questions: | Plan | Knowledge window | |------|-----------------| | Free | 14 days | | Lite | 21 days | | Pro | Unlimited | | Team | Unlimited | | Business / Enterprise | Unlimited | Meetings outside your window remain stored but are excluded from Kojo's context and search results until you upgrade. ## How search works MemorDesk uses vector similarity search: each paragraph of each meeting is converted to a 384-dimensional embedding by a locally-running AI model. Search returns results ranked by semantic meaning, not keyword overlap. You can search for concepts ("budget concerns from last sprint") and get matches even when the exact words do not appear in the transcript. Each user's search index is partition-isolated -- queries can never cross into another user's data even under simultaneous load. --- # Plans and Credits ## Credits Credits are the currency for AI operations. **What uses credits:** - Asking Kojo about your meetings (1 to 3 credits, depending on complexity and Response Style) - Generating a voice recap (3 credits, once per meeting, charged only on success) - "Improve with AI" on custom instructions (1 credit) **What is free:** - Navigation and how-to questions - Replaying a voice recap - Viewing meetings, transcripts, summaries, action items, and decisions Monthly plan credits reset each billing cycle and do not roll over. Purchased top-up credits never expire and are used after plan credits. ## Check your balance and buy credits **Desktop:** click your **profile avatar** in the top-right > the balance shows in the dropdown > **Top Up** or **Upgrade Plan**. **Mobile:** tap your **profile avatar** in the top-left > **Profile** > the **Credits** card > **Buy More Credits** (paid plans) or **Upgrade to buy credits** (Free plan). ## Plans | Plan | Monthly credits | Highlights | |------|-----------------|------------| | **Free** | 180 | 3 meetings/month, core summaries, 60-min meetings, community support | | **Lite** | 300 | Elastic top-ups, 120-min meetings, standard support | | **Pro** | 480 | Voice recaps, 2 stakeholder seats, custom vocabulary, unlimited length | | **Team** | 1,500 per seat | Team workspaces, departmental analytics, 5+ stakeholder seats | | **Business** | Unmetered | SSO, audit logs, unlimited seats, dedicated support | Toggle **Yearly** on the [Pricing page](/pricing) to save 15 percent. Business is custom-priced; use **Contact Sales**. --- # Settings Reference ## Open settings - **Desktop:** Sidebar > **Settings**, or the profile avatar (top-right) > **Settings**. Tabs run down the left. - **Mobile:** the **gear icon** in the top-right pill. ## Settings map | Area | Desktop path | Mobile location | |------|--------------|-----------------| | **Profile** (name, avatar) | `/dashboard/settings/profile` | Profile > Edit Profile | | **AI** (Kojo behavior) | `/dashboard/settings/ai` | Settings > AI Customization | | **Notifications** | `/dashboard/settings/notifications` | Settings > Notifications | | **Meetings** (recording defaults) | `/dashboard/settings/meetings` | Settings > Meeting Settings | | **Live** (in-meeting assistant) | `/dashboard/settings/live` | Settings > Live Meetings | | **Knowledge** (indexing, retention) | `/dashboard/settings/knowledge` | Settings > Knowledge Base | | **Developer** (API keys, webhooks) | `/dashboard/settings/developer` | Settings > Developer Settings | | **Workspace** (members, roles) | `/dashboard/settings/workspace` | Settings > Workspace | | **Security** (2FA, sign-in methods) | `/dashboard/settings/security` | Settings > Account | | **Voice** (recap voice) | `/dashboard/settings/voice` | opens the desktop view | On mobile, a few advanced areas (Meeting, Knowledge, Live, Developer, Workspace, Voice) open the desktop page in your browser; the rest are native mobile screens. ## AI settings highlights - **Summary Style:** length (Brief / Medium / Detailed), tone (Casual / Professional / Formal), timestamps, speaker names. - **Response Behavior:** Response Style (Concise / Balanced / Thorough), Cite Sources, Follow-up Suggestions. - **Custom Vocabulary** (Pro): teach the transcriber your terms; append `:N` (1 to 10) to boost a term, for example `TensorFlow:3`. - **Names and Aliases:** so Kojo recognises you in transcripts. - **Custom Instructions:** permanent directions Kojo always follows. --- # Integrations and Developer API ## Connect apps **Desktop:** Sidebar > **Integrations** (`/dashboard/integrations`), or Settings > Integrations. **Mobile:** profile avatar (top-left) > **Profile** > **Integrations** (`/m/profile/integrations`). Available connections include **Google Calendar** (auto-join upcoming meetings) and **Slack** (send action items and summaries to channels or people). ## API keys **Desktop:** Settings > **Developer** (`/dashboard/settings/developer`) > **Create API Key**. The full key is shown once; copy it immediately. Keys use a prefix like `md_sk_...`. Revoke a key anytime. **Mobile:** Settings (gear) > **Developer Settings** (opens the desktop page). ```bash # Example: send the note taker to a meeting using your API key curl -X POST https://memordesk.com/api/recall/bot \ -H "Authorization: Bearer md_sk_YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "meetingUrl": "https://meet.google.com/abc-defg-hij" }' ``` ## Webhooks Register a URL in Developer settings to receive POST events: - Meeting Started, Meeting Ended - Transcript Ready, Summary Ready - Action Item Created, Decision Recorded Use the **Test** button to send a sample payload and confirm your endpoint works. --- # Workspaces and Teams A **workspace** holds all your meetings, action items, decisions, and Kojo conversations. - **Personal Space:** every account has one; only you can see it. - **Team Workspace:** shared; everyone in it sees all meetings and Kojo can draw on the whole team's knowledge. Team workspaces with multiple members need the **Team** or **Business** plan. ## Switch workspace - **Desktop:** the workspace name in the top-left of the header > pick a workspace. - **Mobile:** the workspace chip next to your avatar in the top bar > pick from the sheet. ## Invite members **Desktop:** Sidebar > **Teams**, or Settings > **Workspace** > **Invite Member** > enter an email and role (Member or Admin). **Mobile:** Home tab > the **Add Team** card > enter an email and send. Full member management opens from Settings (gear) > Workspace. ## Roles - **Admin:** full access including workspace settings, billing, and member management. - **Member:** access to all meetings and features, but cannot change workspace settings or billing. - **Viewer / Stakeholder:** read-only access to shared meetings and can query the knowledge base via Kojo. Pro includes 2 stakeholder seats; Team includes 5 or more; Business is unlimited. --- # GraphRAG Memory Engine MemorDesk does not store meeting transcripts as flat text. Every meeting is processed into a **knowledge graph** that connects people, projects, decisions, and blockers across time. When you ask Kojo a question, the answer is assembled from this graph -- not from a keyword search. ## How it works end-to-end ### 1. Semantic chunking After each transcript is cleaned, a semantic chunking module splits it into coherent paragraphs. Each paragraph is then embedded by MemorDesk's locally-hosted embedding model, producing a high-dimensional cosine-normalized vector. The model runs entirely on MemorDesk's servers and is never sent to a third-party embedding API. **Desktop:** Settings > **Knowledge** (`/dashboard/settings/knowledge`) -- controls which meetings are indexed. **Mobile:** Settings (gear) > **Knowledge Base** -- same controls on the native screen. ### 2. Vector search with partition isolation Chunk and entity vectors are stored in a dedicated vector index. Every search is pinned to either your personal account or your organization's team space. There is no cross-user scanning: partition isolation is **structural**, enforced at query time by mandatory filter predicates. One user's embeddings are physically unreachable by another user's query, regardless of application-layer bugs. Search scopes: | Scope | What is searched | |-------|-----------------| | Personal | Only your own meetings and documents | | Team | Only your organization's shared meetings | | All | Both personal and team partitions (no cross-user leakage) | ### 3. Entity extraction MemorDesk extracts six entity types from each meeting: | Type | Examples | |------|---------| | PERSON | Meeting participants, mentioned stakeholders | | PROJECT | Product names, initiatives | | FEATURE | Specific capabilities or deliverables | | TOOL | Software and services discussed | | DECISION | Choices made during the meeting | | BLOCKER | Open risks, dependencies, or blockers | Each entity is committed to the knowledge graph with full provenance back to the source meetings. ### 4. Bi-temporal relationship tracking Every edge in the graph carries start and end timestamps. When a relationship changes (e.g. a decision is reversed, a person changes role), the old edge is closed and a new edge is opened. The graph is a full historical record, not a snapshot. This means Kojo can answer questions anchored to a point in time: "What did we decide about the API contract three weeks ago?" returns the state of the graph at that date, not the current state. ### 5. Graph walk and retrieval When you ask Kojo a question, retrieval runs in four steps: 1. **Embed the query** -- the same local embedding model converts your question into a vector. 2. **Seed entity search** -- top-5 entity matches by cosine similarity, scoped to your partition. 3. **Graph walk** -- a graph traversal engine performs a breadth-first traversal up to 3 hops from each seed entity. This step is vector-free: it traverses the relationship graph directly. 4. **Chunk retrieval** -- top-12 transcript chunks filtered to the meeting IDs the graph walk surfaced, retrieved by vector similarity. The result is a structured context block injected into the LLM prompt. ### 6. User context summary Each user has a working memory layer maintained by the memory engine: - **Active projects** -- current initiatives you are involved in - **Key people** -- frequent collaborators - **Open blockers** -- unresolved risks from recent meetings - **Recent decisions** -- decisions made in the last knowledge window - **Context summary** -- a free-text summary injected into every Kojo prompt This is the layer that makes Kojo feel context-aware even at the start of a new conversation. ### 7. Memory window and plan gating | Plan | Knowledge window | |------|-----------------| | Free | 14 days | | Lite | 21 days | | Pro, Team, Business, Enterprise | Unlimited | **Desktop:** Settings > **Knowledge** (`/dashboard/settings/knowledge`) -- shows your current window and indexed meeting count. **Mobile:** Settings (gear) > **Knowledge Base**. ## Provision and scaling Dedicated partitions are provisioned automatically at signup. New partitions require no manual intervention and add no overhead to other users' queries. --- # Security Architecture MemorDesk implements several non-obvious security patterns that go beyond standard SaaS practices. This article documents them for security-conscious teams. ## Dead Refresh Token Circuit Breaker Most web apps retry on a 401 Unauthorized response. When an authentication session is invalidated (rotated, revoked, or expired), retrying produces a cascade of 401s that each trigger another refresh attempt -- creating a request storm and often causing rate-limit errors. MemorDesk's session management layer detects the specific error conditions that indicate a token is permanently invalid. On any of these, it immediately clears all session cookies and redirects to the sign-in page. There is no retry. The rate-limit storm never starts. ## Password Forensics Without Plaintext MemorDesk's intrusion log captures failed login attempts for analysis, but **plaintext passwords are never stored** -- not even temporarily. When a failed login is recorded, a non-reversible cryptographic fingerprint is computed from the attempted password. Only a short segment of this fingerprint and the password length are retained. The plaintext is discarded immediately. This fingerprint lets security reviewers detect credential-stuffing patterns -- "the same password was tried against 800 different accounts" -- without reconstructing or leaking the actual password. The fingerprint is not reversible. ## Credit Holds for Concurrent Execution Safety Credits are MemorDesk's billing unit for AI operations (meeting processing, Kojo queries, voice recaps). A naive deduction model has a race condition: two simultaneous jobs both read the user's balance as sufficient, both proceed, and the user ends up overdrawn. MemorDesk solves this with a **credit hold** pattern borrowed from payment processing: 1. Before starting a job, a temporary reservation is placed against the expected credit cost with an automatic expiration window. 2. Credit availability checks include active holds in the balance calculation. 3. On job completion, the hold is consumed and the actual deduction is recorded in the immutable transaction ledger. 4. On job failure, the hold is released. Credits are never deducted for failed jobs. 5. Expired holds collapse automatically, providing a safety valve if a job hangs indefinitely. **Desktop:** profile avatar (top-right) > the credit balance dropdown shows your available balance net of holds. **Mobile:** profile avatar (top-left) > **Profile** > **Credits** card. ## Shared Bot Session Deduplication (Team+ Plans) When two calendar events in the same organization share the same meeting URL, a naive system would send two bots -- one per event. This causes two identical bots to appear in the meeting simultaneously, wasting provider cost and confusing participants. MemorDesk's calendar ingestion engine checks for an existing active bot session matching a meeting URL before dispatching a new one. If a bot is already in the session, the second event is attached to the same session rather than triggering a new join. This deduplication is active for **Team, Business, and Enterprise** plans. ## Intrusion Detection and Observe Mode MemorDesk records every rejected auth attempt with network telemetry including IP address, geographic data, device information, and a non-reversible password fingerprint. Automated detection rules evaluate patterns after each logged attempt: | Rule | Condition | Action | |------|-----------|--------| | IP rate threshold | Repeated failed authentication from a single IP address within a short window | Automatic IP block | | Coordinated attack | Multiple distinct IP addresses targeting the same account within a defined time window | Admin dashboard security alert | **Observe mode:** By default, detection rules evaluate against live traffic and log projected enforcement decisions without blocking any requests. Enforcement mode is enabled separately after verifying rule accuracy against production traffic. **Desktop:** Admin panel > **Security** (`/admin/security`). Visible to administrator roles only. ## IP Allowlist with Automatic Fail-Closed Semantics The admin access control layer supports IP-based allowlisting for administrative routes. - **No entries configured:** all IPs are allowed (safe default during setup). - **Any entry present:** only listed IPs are allowed. Adding the first entry instantly switches from fail-open to fail-closed with no additional flag to set. Blocked IPs receive a `404 Not Found` response to avoid leaking the existence of the admin surface. CIDR notation is supported for IP range entries. ## Three-Layer Admin Defense Every request to admin routes passes through three independent gates: 1. **IP allowlist** -- evaluated first when IP allowlisting is enabled. Returns 404 on block. 2. **Authentication** -- must have a valid active session. 3. **Role check** -- confirms the requesting user holds an administrator role. Cached briefly to reduce database load. ## Session and Device Tracking Every authenticated device is registered with its device fingerprint, platform, OS, IP address, user agent, and last-seen timestamp. Administrators can revoke any device session remotely. **Desktop:** Settings > **Security** (`/dashboard/settings/security`) > active sessions list. **Mobile:** profile avatar (top-left) > **Profile** > scroll to **Sessions**.