Home›Developers›Security primitives
cryptography and identity isolation and sandboxing PII and audit policy engine

Security primitives

Security primitives
for enterprise AI.

Your auditor verifies every control independently. Signed policy packs, tamper-proof audit records, and per-tenant row-level isolation enforced by Postgres. Nothing that slows your inference path.

Request security package See compliance posture
AES-256-GCM
At rest, host-layer KMS
Supabase platform default
TLS 1.2+
In flight, edge-agent mTLS
Pinned cert per agent
SHA-256
API key storage
Key shown once on creation
HMAC
Signed webhooks with replay window
Five minute bound
AES-256-GCMTLS 1.2+ and mTLSSHA-256 keysHMAC-SHA256 webhooksPostgres RLS
CryptographyTenant isolationIdentityPIIAudit
Layered primitives
Every write passes five gates

Identity through SAML 2.0 or OIDC, then a tenant claim in a signed, expiring JWT, then database row-level security enforced by Postgres (not the app), then per-class PII policy handled by PII Sentinel in strict, reversible, or flag-only mode, then an append-only audit write that is tamper-evident, SHA-256 Merkle chained, and fsynced across three zones. A request missing any gate returns zero rows with a typed RFC 7807 error and the same request id that threads gateway, orchestrator, agent, and DB.

Identity
SAML 2.0 or OIDC
JWT
tenant_id claim
RLS
Postgres policy
PII
class and mode
Audit
Tamper-evident append
Verify
Merkle rollup
Gates enforced per request
KMS
AES
At-rest encryption

Tenant data, prompts, outputs, and evidence packs encrypt at rest under Supabase's host-layer AES-256-GCM with KMS-managed keys. Application-layer per-tenant key wrapping ships once Supabase Vault is configured per tenant.

Host-layer guarantee
Replay
5m
HMAC bound

Five-minute window on every signed webhook. Timestamp plus HMAC-SHA256. Subscribers verify; replays outside the window return 401.

Webhook replay ceiling
Certs
Edge-agent mTLS

Edge agents present TLS client certs validated against the edge_agent_certs table on every call. Service-to-service mTLS between Vercel functions and Supabase rides the platform layer.

Per-agent client cert
Secrets
Hashed at rest

API keys stored as SHA-256 hashes, scoped to tenant and capability set. Shown once on creation.

Self-service rotation
Isolation
nsjail and seccomp

Agents sandboxed. Typed IPC only. No ambient filesystem or network access. Resource budgets per agent per tenant.

Kernel-enforced

Cryptography

At rest and in flight

A
At rest
AES-256-GCM, host-layer KMS
Supabase platform default

Tenant data, prompts, outputs, and evidence packs encrypt at rest with AES-256-GCM under Supabase's host-layer KMS. Tenant isolation rides Postgres row-level security at the database layer.

Cipher
AES-256-GCM
Keys
Host-layer KMS
Per-tenant wrap
Planned
Isolation
Postgres RLS
B
In flight
TLS 1.2+ with edge-agent mTLS
Pinned ciphers, per-agent certs

Every external call rides TLS 1.2 or 1.3 with pinned cipher suites. Edge agents present TLS client certs validated against the edge_agent_certs table on each call. Service-to-service mTLS between Vercel functions and Supabase rides the platform layer.

External
TLS 1.2 or 1.3
Edge agents
Client cert mTLS
Service mTLS
Platform layer
Ciphers
Pinned allowlist
C
Keys
API keys stored as SHA-256 hashes
Shown once, scope-bound

API keys show once at creation and store as SHA-256 hashes. Each key binds to a tenant and a capability set, so a leaked key cannot widen its own scope. Rotation is self-service from the admin console and every use and rotation is logged.

Hash
SHA-256
Visibility
Once at create
Binding
Tenant plus capabilities
Rotation
Self-service, logged
D
Webhooks
HMAC-SHA256 signed with replay bound
Five-minute window, RFC 7807 on reject

Every webhook carries a timestamp header and an HMAC-SHA256 signature over the body. The replay window bounds at five minutes, and subscribers verify both the HMAC and the timestamp. Rejections return RFC 7807 problem documents so integrators know why a payload was dropped.

Algorithm
HMAC-SHA256
Window
Five minutes
Reject shape
RFC 7807
Verifier
Subscriber-side

Tenant isolation

Row-level security, end to end

RequestIdentity
JWT issued by the platform identity service.

Tokens sign with a rotating platform key, carry tenant_id and capability claims, and expire in fifteen minutes. The gateway rejects unsigned or stale tokens with RFC 7807 before a handler ever executes. Refresh rotation prevents replay across sessions.

Algorithm
RS256
TTL
Fifteen-minute access
Claims
tenant_id and caps
Reject
RFC 7807
GatePostgres
Row-level security enforced by the database, not the app.

A Postgres RLS policy reads tenant_id from the JWT claim inside current_setting and restricts every row to the caller tenant. A wrong claim returns zero rows with no error leak. Applied to every table holding tenant data, including evidence packs and audit events.

Engine
Postgres RLS
Source
JWT claim
Wrong tenant
Zero rows
Coverage
Every tenant table
ReturnTelemetry
Every read and write writes tenant_id, req_id, and actor.

Reads and writes emit structured events keyed on tenant_id and request id, with the actor identity, the policy version, and the source service. Break-glass paths write with a reason string and land in a dedicated audit slice reviewed weekly.

Fields
tenant, req, actor, policy
Break-glass
Reason-required
Review
Weekly cadence
Sink
Tamper-evident audit log
policy sketch 
create policy tenant_isolation
  on public.assessments
  using (
    tenant_id = (
      current_setting('request.jwt.claims')::jsonb
        #>> 'tenant_id'
    )::uuid
  );

-- wrong claim returns zero rows

Identity

How humans and services authenticate

JWT sessions

Short-lived access tokens, long-lived refresh with rotation. Revocable from the admin console.

SAML and OIDC SSO

Any SAML 2.0 or OIDC identity provider. Tenant-scoped metadata.

MFA for admins

TOTP available today. WebAuthn planned. MFA-required roles set per tenant policy.

API keys

SHA-256 hashed, scoped to tenant and capability set. Self-service rotation.

Service identity

Edge agents authenticate via TLS client certs validated per call. Internal service-to-service mTLS rides the platform layer.

Break-glass

Admin override requires a documented reason and writes to the permanent audit log.

PII handling

Personal data, handled to your rules

What we detect
Detected classes
  • Names, emails, phone numbers
  • Street addresses, government IDs
  • Payment cards, health indicators
  • Biometric hints, login credentials
  • Minors indicators
What we do with it
Redaction modes
  • Strict: replace with a token, non-reversible
  • Reversible: vault with scoped keys and audit
  • Flag only: pass through with a tag, no change
  • Per tenant, per class, per channel
  • Confidence scored on every match

Audit and evidence

Every decision is attributable

A
Append-only log
Actions, approvals, overrides
SHA-256 Merkle, seven-year retention

Every action, approval, and override writes into an append-only log. Entries are SHA-256 Merkle-chained with checkpoints every five minutes, fsynced to disk before acknowledge, and replicated across three zones. Tampering with any entry breaks the downstream chain and surfaces on the next verification pass.

Chain
SHA-256 Merkle
Checkpoint
Five minutes
Durability
fsync, three-zone
Retention
Seven-year tamper-evident
B
Stable request ids
One id, every layer
OTel spans, gateway to DB

A single request id threads the gateway, orchestrator, agents, and database. Support and audit see the same events from the same trace, and OTel spans let you replay a request across services without correlating by timestamp.

Scope
Gateway to DB
Transport
OTel spans
Use
Support and audit parity
Correlation
Id, not timestamp
C
Evidence packs
Signed, timestamped bundles, filterable by framework
EU AI Act, SOC 2, NIST, ISO 42001

Evidence packs roll up the audit log, policy versions, and agent outputs into signed, timestamped bundles with a detached JWS and SHA-256 payload hash, filterable by framework (EU AI Act Art. 10, SOC 2, NIST AI RMF 2.0, ISO 42001 section 8.4). Packs are generated on demand via API.

Filters
EU AI Act, SOC 2, NIST, ISO
Integrity
Detached JWS
Generation
On demand via API
Delivery
Signed URL and API