Security & Governance
Enterprise controls by default
Built to support regulated workloads with policy enforcement, audit logs, and end-to-end observability.
Identity, RBAC, and tenancy
Secure access and strong tenant boundaries for enterprise operation.
- Supabase authentication for secure login and session management
- Tenant boundaries enforced at the API gateway and policy layer
- Role-based access control aligned to enterprise IAM patterns
OPA policy-as-code
Centralized runtime enforcement without application rewrites.
- OPA/Rego policies for backend allowlists and provider restrictions
- Spend ceilings, quotas, and routing constraints enforced at runtime
- Policy decision logs captured per request for auditability
Audit trails and evidence
Audit-ready operations with immutable logs and replay.
- Postgres-backed immutable audit logs for workflows, runs, and admin actions
- Workflow versioning, diffs, and rollback to reduce change risk
- Evidence suitable for internal controls and compliance programs
Observability and incident response
Full-stack traceability for debugging and forensics.
- OpenTelemetry traces across agents, tools, and backends
- Metrics dashboards for latency, error rates, routing choices, and cost allocation
- Run-level event streaming for rapid diagnosis and replay
Controls & evidence matrix
A procurement-friendly mapping from control objectives to mechanisms and the artifacts you can export from the run evidence viewer.
| Control objective | Mechanism | Evidence artifact |
|---|---|---|
| Tenant isolation | Tenant-scoped JWT + server-side tenant enforcement | Run metadata (tenant_id) + immutable audit events |
| Policy enforcement | OPA decision point for allow/deny, budgets, allowlists | Stored policy decision bundle (inputs + reason codes) |
| Change control | Workflow versioning with deterministic replay | Evidence PDF includes workflow + policy hashes |
| Auditability | Postgres-backed audit_event append-only timeline | Run evidence viewer + branded PDF export |
| Observability | OpenTelemetry trace IDs + stage-by-stage events | Audit timeline includes trace_id references |
Compliance posture
Designed to support common security and compliance programs through auditability, access control, and governance-by-default. Publish formal attestations (e.g., SOC 2 / ISO 27001) only after completing the relevant audits.