Security Model

The public web layer is the only external edge. Internal MCP and runtime services remain private.

Auth

Google Identity Services in the browser, same-origin BFF proxy under /api, step-up MFA for sensitive actions.

Audit

Every sensitive write must persist actor, route, scope and decision metadata.

Isolation

No direct browser access to project-mcp, runtime-agent or review services.