Tenant isolation
Every tenant-owned query filters by the authenticatedteam_id. Data access goes through repositories, and service methods own transactions. A 404 response must not reveal whether another tenant owns the requested identifier.
Credentials
- API keys are scoped, hash-only at rest, revocable, and shown once.
- Console users authenticate through Clerk and receive a server-resolved workspace identity.
- Provider OAuth grants are managed by Nango; the browser receives only a Connect Session token.
- MCP source locators store a symbolic or encrypted reference, not a secret.
- Sandbox credentials remain in the control plane and are exposed only through one-use, policy-bound broker grants.
Acquisition
HTTP acquisition enforces SSRF controls, URL and redirect policy, response limits, and registered adapters. Search and map results are discovery leads, not evidence. Remote MCP sources require HTTPS and intersect requested capabilities with those advertised by the server.Evidence and AI
Every AI-facing output citesevidence_ids. Models do not perform the authoritative structural diff. Remediation input is limited to explicit evidence and target files, and output must pass path, hash, secret, and size validation.
Execution
Arbitrary repository code is never executed by onboarding. Executable candidates become disabled definitions. Only approved immutable versions may enter the separately configured sandbox worker, and provider outage never permits a weaker isolation profile.Secret handling checklist
- Store production secrets in Vault or platform secret management.
- Give each process only the keys it needs.
- Never put secrets in URLs, logs, command arguments, frontend bundles, run plans, or committed examples.
- Rotate any credential found in git history; deleting the current file is insufficient.
- Verify webhook signatures over the exact bounded request body before parsing.