Security

Security is orthogonal to scale. Every primitive — auth, storage, IPC, error reporting — assumes zero trust in the caller and isolates per tenant from commit 1. No retrofits.

Commitment

HTTPS only, 301 redirect on every public edge. Cookies Secure + HttpOnly + SameSite=Lax. Tokens flow through Koder ID (sole identity provider). Multi-tenant isolation via RLS (SQL), key-prefix (KV), or path-prefix (S3). Erasure cascade honors backup-restore.

Canonical specs

policies/security.kmd · policies/multi-tenant-by-default.kmd · specs/auth/oauth-flow.kmd · specs/multi-tenancy/contract.kmd · specs/signing/icp-brasil.kmd. Owner-curated expansion will cover threat model and audit cadence.