Security
Honest posture, no marketing varnish. What’s shipped to production, what’s in progress, and what’s on the roadmap. Every claim points to the code or runbook where you can verify it.
Shipped 17In progress 15Planned 6
Network
TLS 1.2+ everywhere
ShippedCloudflare Full (Strict) → Traefik → app container
Origin CA certificates
ShippedTraefik validates Cloudflare-issued origin certs; no self-signed
DDoS protection
ShippedCloudflare network-level
Authentication
Supabase Auth (managed)
ShippedJWT validation server-side; getUser() called per request, never getSession()
API key tier with rate limits
ShippedPer-tenant key issuance + per-key rate buckets
SSO (SAML + OIDC)
PlannedOkta / Azure AD / Google / generic OIDC
MFA enforcement (TOTP + WebAuthn)
In progressStrict + relaxed configs
IP allowlists + geo restrictions
In progressCIDR allowlist + country block/allow lists
Session management
In progressIdle timeout, revoke-all-sessions admin tool
Data protection
Encryption at rest
ShippedSupabase Postgres + S3 SSE-S3
Encryption in transit
ShippedTLS 1.2+ to every external service
Row-level security (RLS)
ShippedEvery customer table has tenant_slug RLS policy
Data residency
In progressUS-east-1 only today (Supabase + AWS Lightsail). EU / APAC / US-Gov region presets are on the roadmap.
Secret rotation policy
In progressBridge SSH keys + AI API keys + service-role keys
Audit
Tenant-scoped audit log
In progressAPI job submission + admin retry are recorded; orchestrator lifecycle not wired
Agent identity tracking
In progressactor_is_agent + agent_run_id columns exist on sf_factory_audit_events
Job cancellation + audit
ShippedCooperative cancel writes audit row
Compliance
SOC 2 Type II evidence collection
Planned7 evidence kinds we plan to automate; no module yet
ISO 27001 control mapping
PlannedControl mapping to A.9 / A.12 / A.18 — on the roadmap, no module yet
GDPR DSAR workflow
PlannedArt. 15 / 17 / 20 workflow — on the roadmap, no module yet
HIPAA-friendly mode
In progressPHI tagging + BAA-only provider gating
EU AI Act transparency
In progressPer-file AI confidence + DAG trace exports
FedRAMP Moderate gap analysis
PlannedAC-2, IR-4 mapped; SSO + SCIM gates open
CJIS readiness
PlannedPersonnel training program
Generated code
Pre-commit secret scanning
ShippedGitleaks blocks commits with hardcoded secrets
SAST (static analysis)
In progress11 Semgrep-style rules on generated code: crypto, injection, secrets, eval, etc.
Dependency vulnerability scanning
In progressnpm audit + pip-audit gate; critical = block
License compliance
In progressAllow MIT/ISC/Apache; deny AGPL; flag copyleft
Reproducible builds
In progressLockfile verification + integrity hashes
SLSA L2 provenance
In progressin-toto attestation per artifact with cosign-compatible signing
Operations
Daily backup verification
In progressRestore-to-temp-db smoke test
Disaster recovery runbook
Shipped4 scenarios: DB failure, all-bridges-down, data corruption, security incident. RTO 15min target
Evidence: lib/factory/observability/dr-checklist.ts
Chaos engineering harness
Shipped6 scenarios (AI timeout, bridge crash, DB blip, slow network, etc.) — staging only
Bridge node isolation
ShippedPer-job workspace, snapshot before destructive ops, network isolation
Job cancellation + audit
ShippedCooperative cancel writes audit row
Responsible disclosure
Responsible disclosure program
Shipped[email protected] + 24h acknowledgment SLA
Bug bounty payouts
ShippedCritical $5k–$25k, High $1.5k–$5k, Medium $400–$1.5k, Low $100–$400
Responsible disclosure
Found a security issue? Email [email protected]. PGP key at /.well-known/security-pgp.asc.
- • 24-hour acknowledgment SLA
- • Safe harbor for good-faith research
- • Bounty eligible for in-scope findings
- • Hall of fame for first reporters
In-scope assets
- • ooretz.space (and *.ooretz.space)
- • api.ooretz.space
- • The ooretz npm package
Out of scope
- • Social engineering / phishing
- • Physical attacks
- • Volumetric DoS
- • Issues in third-party vendors (Stripe, Supabase) — report directly to them
- • Generated end-user apps (they’re separate products)