PAT security posture.

This page summarizes implemented safeguards and current boundaries without claiming external certification or audit completion.

Last updated: April 28, 2026Trust center

Authentication boundaries

Production authentication is provider-backed. Local review credentials are explicitly gated by environment and loopback rules so they are not confused with public production auth.

Sensitive operations

Billing and account-sensitive operations are protected by route-level guards, rate-limit checks, and elevated confirmation where supported by the current runtime. Session payloads are kept to the fields needed for routing and authorization.

Release and runtime proof

Startup preserves a dirty-tree guard, and release validators compare canonical root, branch, commit, build ID, build timestamp, auth mode, start command, and git dirty state across runtime artifacts.

Billing data boundary

Card entry is delegated to the payment provider when billing is configured. PAT stores provider identifiers and reconciliation status; it does not store raw card numbers.