Built for production from day one.

Per-row HMAC-SHA256 signed by the server secret + prev_row_hmac chain. Tamper-evident against both row modification AND deletion, even by a DBA with raw table access.

64 MiB memory, 3 iterations, parallelism 4. Password policy: min 12 chars, 3-of-4 character classes, ~1,500 denylist entries.

Every WebSocket frame signed. Replay guard (±60s + nonce + monotonic seq). Session-bound frames. SignatureError closes the socket with code 4403.

__Host-prefixed CSRF cookie + X-CSRF-Token header required on every mutating endpoint. Constant-time comparison.

HttpOnly session cookie, Secure + SameSite=Lax in prod, __Host- prefix. No JS access to session tokens.

/auth/login (20/min), /invitations (30/min), /auth/password-reset (10/min). Bounded memory via inline prune + 120-char key cap.

5 failed login attempts → 15-minute account lockout. Combines with IP rate limits for layered defense.

Recursive scrubber at the agent (~40 patterns: API keys, tokens, AWS creds, private keys). Defense-in-depth re-scrub on the brain.

Every outbound URL (webhooks, SMTP, Slack) passes through: private-IP block, DNS-rebinding resolve-before-dial, scheme allow-list.

Strict-Transport-Security (1yr), strict Content-Security-Policy (no unsafe-inline, no unsafe-eval), X-Frame-Options: DENY, Referrer-Policy: strict-origin.

Every mutating endpoint checks membership + role. UI mirrors the server policy (useCan hook). Cross-project access = 403.

Tokens stored as HMAC-SHA256 hashes only, never plaintext. Server secret in env, not on disk. No 'recovery' codes.