Security Architecture
Per-plane control enumeration. Every claim sources to a file:line in the canonical Security Architecture document. Gaps are named, not hidden.
Production-safety posture
Production behavior under TLS, HSTS, CSP, CSRF, rate limiting, MFA, and tenant isolation is unaffected. Live-database activation of the canonical audit-events schema and SpendGuard scaffolding remains paused until production database identity is verified — see the active condition on /status.
Per-plane controls
Identity Plane
Authentication, sessions, MFA, CSRF, RBAC, tenant boundaries.
Routing Plane
Provider routing, fallback, circuit breakers, cost integration.
Execution Plane
Agent runtime, orchestration, workflow execution.
Spend Plane
Billing, Stripe webhooks, subscription lifecycle.
Audit Plane
Tamper-evident audit trail, compliance evidence, forensic reconstruction.
Data Plane
Database integrity, migrations, schema discipline.
Control Plane
Admin, tenant management, platform owner operations.
Observability
Correlation, tracing, error aggregation, PII discipline.
Network surface
TLS, HSTS, CSP, frame/MIME hardening, CORS, edge protection.
Honest gaps
Tracked deficits an enterprise reviewer should expect to see closed before regulated-industry adoption. Each maps to a tracked finding in STATUS.md.
Production database identity verification — Production-Safety Stop active.
AUDIT_DUAL_WRITE_ENABLED end-to-end activation — gated on the same Stop.
Three legacy audit_logs models still present alongside the canonical one (audit finding B13).
No SOC 2 / HIPAA / FedRAMP / ISO 27001 audit in flight.
No multi-region data residency — single Neon region today.
No edge WAF / bot protection layer.
Branch protection on main — gated on org-admin activation.