Reviewedv1Security & governance
Security and change governance
Apply least privilege, fail-closed behavior, and audit trails without turning an API into an owner-gate bypass.
Security baseline
- Least privilege for every identity, credential, and device.
- Fail closed when a driver, contract, or scope is absent.
- No secrets in Git, logs, or client bundles.
- Audit sensitive actions with actor, tenant, and correlation.
- Separation of duties and owner approval for high-risk activation.
High-risk actions
Destructive, irreversible, or downtime-causing changes need backup, impact analysis, rollback, and explicit approval. An API surface never removes that gate.
Data integrity
Never run migrate:fresh except on a proven disposable local database. Use migrate --pretend and migrate:status before shared databases and keep migrations additive whenever possible.