Appearance
Security
The short version: passwordless auth, org-scoped everything, attributed writes, revocable links.
Authentication
- Passwordless only: Google, GitHub (verified-email policy), magic links, passkeys (WebAuthn). There is no password to phish, reuse, or leak.
- Two-factor: TOTP, enforced for Admin/Owner roles; recovery codes provided.
- Sessions: httpOnly cookies (JWT, 30-day rolling expiry); revoking a session invalidates it immediately. API keys are scoped and revocable.
Isolation
- Every read and write is scoped to one organization at the service layer — not in the client, not by convention. Objects outside your org return
404, never leaking existence. - Snippets are
privateorteam. A public link exposes exactly one snippet read-only; rotating or deleting makes the old link404immediately.
Attribution & audit
- Every mutation writes an audit event in the same transaction: actor, door (
ui · cli · mcp · http), agent attribution (via Claude), verb, object, timestamp. - Gated moves are human-only; agent attempts are rejected and recorded.
Data handling
- Logs never contain email addresses, snippet bodies, or tokens.
- Webhooks/integrations (GitHub, Slack) use per-integration credentials with the minimum scopes; sign-in OAuth and integration OAuth are separate clients.
Reporting
Found something? Open a security advisory on the repository or use the contact on the console's settings page — we acknowledge within 48 hours during the beta.