Reviewedv1Security & governance

Security and change governance

Apply least privilege, fail-closed behavior, and audit trails without turning an API into an owner-gate bypass.

Security baseline

  • Least privilege for every identity, credential, and device.
  • Fail closed when a driver, contract, or scope is absent.
  • No secrets in Git, logs, or client bundles.
  • Audit sensitive actions with actor, tenant, and correlation.
  • Separation of duties and owner approval for high-risk activation.

High-risk actions

Destructive, irreversible, or downtime-causing changes need backup, impact analysis, rollback, and explicit approval. An API surface never removes that gate.

Data integrity

Never run migrate:fresh except on a proven disposable local database. Use migrate --pretend and migrate:status before shared databases and keep migrations additive whenever possible.