Default deny. Zero-trust. Everything verified, everything logged. Security is not a feature layer — it is the foundation.
Every request authenticated. Every action authorised. No implicit trust between system components. Default deny on all access decisions.
Data encrypted at rest and in transit. HTTPS enforced. TLS required. No plaintext data in storage or transmission.
Strict namespace separation per organisation. No cross-tenant data access. Enforced at storage, execution, and audit layers independently.
No direct storage access permitted. All file reads and writes use short-lived signed URLs. No credentials ever exposed to UI or logs.
SQL injection, prompt injection, code injection, and command injection protections applied at every system boundary. Schema validation enforced on all inputs.
No secrets in UI, logs, or version control. Secure encrypted environment storage with rotation enforced. Short-lived JWT tokens throughout.
The About → Security page covers the complete security model including threat model, layers, and authentication tokens.