Security and governance

Security decisions remain server-owned and scope-bound.

Browser visibility is not an authorisation boundary. Protected routes, application services and repository predicates re-evaluate identity, tenant, project and permission context where the operation requires it.

Browser visibility is not an authorisation boundary. Protected routes, application services and repository predicates re-evaluate identity, tenant, project and permission context where the operation requires it.
Security and governance
Tenant and Project form the active security context.

Tenant separates organisations and data. Project selects membership, schema and execution scope within the tenant. The active Project is a signed server-validated session decision, not a cosmetic filter.

Session registry is authoritative after sign-in.

Each authenticated request must match an active actor-bound registry JTI, tenant and user state, current-policy lifetime, idle timeout and active Project context. Registry failure, missing signing material, revocation or identity mismatch fails closed rather than falling back to anonymous or stale browser context.

SAML is delivered with explicit boundaries.

Tenant SAML metadata, login and ACS, external identity linking/JIT, domain policy and IdP-asserted MFA evidence are implemented. Endpoint generation uses the server-owned public origin and AuthnRequest correlation uses short-lived signed provider/request-bound state.

RLS and runtime filters are not interchangeable.

Analytics RLS is server-owned and protected. A client runtime filter cannot forge RLS origin metadata, and cache identities include permission and RLS scope rather than relying on SQL text alone.

Secrets stay outside generic evidence.

Credentials, tokens, authorisation headers, private keys and signed URL material do not belong in public metadata, chat prompts or generic audit payloads. Masked text is not an executable credential. When a workflow requires one-time credential disclosure, the reveal is bounded, encrypted in transit/storage as configured, short-lived and recorded without persisting the revealed secret in generic evidence.

Tenant and Project form the active security context.

Tenant separates organisations and data. Project selects membership, schema and execution scope within the tenant. The active Project is a signed server-validated session decision, not a cosmetic filter.

Session registry is authoritative after sign-in.

Each authenticated request must match an active actor-bound registry JTI, tenant and user state, current-policy lifetime, idle timeout and active Project context. Registry failure, missing signing material, revocation or identity mismatch fails closed rather than falling back to anonymous or stale browser context.

Project change is a CSRF-protected server action that reissues context without extending the original token or policy expiry.

Logout is a CSRF-protected POST; password change/reset and account deletion revoke active sessions.

JSON requests receive structured authentication failure and cookie deletion; browser navigation clears context before redirect.

SAML is delivered with explicit boundaries.

Tenant SAML metadata, login and ACS, external identity linking/JIT, domain policy and IdP-asserted MFA evidence are implemented. Endpoint generation uses the server-owned public origin and AuthnRequest correlation uses short-lived signed provider/request-bound state.

SAML does not create Project membership; the user still needs authorised tenant and project access.

Application-level TOTP, WebAuthn, recovery challenges and complete session inventory/revoke-all UI are not current capabilities.

Unsupported password-MFA policy is rejected rather than stored as a false control.

RLS and runtime filters are not interchangeable.

Analytics RLS is server-owned and protected. A client runtime filter cannot forge RLS origin metadata, and cache identities include permission and RLS scope rather than relying on SQL text alone.

Secrets stay outside generic evidence.

Credentials, tokens, authorisation headers, private keys and signed URL material do not belong in public metadata, chat prompts or generic audit payloads. Masked text is not an executable credential. When a workflow requires one-time credential disclosure, the reveal is bounded, encrypted in transit/storage as configured, short-lived and recorded without persisting the revealed secret in generic evidence.

Current IAM strength is stated precisely.

Module-specific permission contracts exist, but a universal persisted negative-permission and platform-wide DENY-wins merge is not complete. Application MFA and step-up behaviour must not be implied beyond the current identity-provider and session controls.

Next step

Start with the flow that cannot afford ambiguity.

Bring the systems, owners, rules, delivery obligations and evidence requirements that matter.

Discuss a critical flow