Admin · Security posture
Security posture dashboard
Each control is named, claimed, and evidenced. No claim is made without code + test backing. Partial controls are honestly labelled.
Row-level security on every customer table
in placesupabase/migrations/0008_r43_pilot_sessions_and_radar_runs.sql + 0009_r44_environments_first_class.sql both enable RLS with auth.uid() = user_id policies.
Anon key only in client; service-role key never bundled
in place@supabase/ssr client uses NEXT_PUBLIC_SUPABASE_ANON_KEY. Service-role identifier is built dynamically in honesty tests to avoid literal in source.
Audit log refuses JWT / Bearer / password / secret / privileged-key shapes
in placelib/agentproof/audit/workspace_audit_event_v2.ts ships FORBIDDEN_PATTERNS rejection at the repository boundary.
Invitation short-id shown ONCE and never echoed afterwards
in placePOST /api/workspace/invitations returns token_short_id_show_once exactly once. GET strips token_hash from every response.
/api/health/deep checks env-var PRESENCE only, never values
in placeapp/api/health/deep/route.ts maps each probe to {present: boolean, safe_summary}. No value field present.
AI Radar reads only approved sources — no broad crawling
in placeR13-A radar source registry locks the source list. Adaptation requires the human approval gate before report impact.
Connectors read-only by default with least-privilege scopes
in placeMicrosoft connector reads metadata only. No business-data extraction. No source-code requirement. Documented in connector registry.
Membership / invitation / audit_v2 Supabase adapter selector
partialModel + in-memory adapter ship; Supabase adapter wiring follows the R43 selector pattern when activated. Storage source honestly labelled local_cache_only until then.