01 / IDENTITY
Durable organization ownership
People may change identity providers without transferring product ownership. Organizations support multiple owners, role separation, and immediate membership revocation.
Security Center · updated July 14, 2026
We spend first on controls that stop incidents—not badges that imply they can’t happen. Until independent attestation makes economic sense, we show our work and state exactly what has and hasn’t been independently verified.
Current posture
No certification shorthand. These are scoped product facts, their verification state, and the boundaries customers should plan around.
Control model
Admin policy sets the ceiling. User consent narrows it. Snapshot approval and guardrails narrow it again. No downstream provider can widen access.
01 / IDENTITY
People may change identity providers without transferring product ownership. Organizations support multiple owners, role separation, and immediate membership revocation.
02 / MCP
Each session binds organization, profile, connector identity, approved tools, audience, and the shortest applicable duration ceiling.
03 / CHANGE
New tools stay hidden, removed tools stop, and materially changed schemas pause until an administrator approves a new snapshot.
04 / GUARDRAILS
Built-in or customer-selected providers may deny, require four-eyes approval, or apply constrained transforms. Enforcing failures deny the call.
Proof ledger
“Implemented” means covered by repository evidence and internal verification. It does not mean independently audited.
| ID and claim | Control | Evidence and status |
|---|---|---|
| AUD-001 Tool calls fail closed when audit intent cannot be committed. | Durable intent is committed before connector dispatch. | Implemented · internally verified Gateway enforcement and PostgreSQL adapter contract tests · as of 2026-07-14 |
| AUD-002 Every dispatched call has correlated intent and terminal receipts. | UUIDv7 call correlation across append-only audit events. | Implemented · internally verified Local PostgreSQL intent/completion integration test · as of 2026-07-14 |
| TEN-001 Tenant-owned records are isolated in the database. | Organization keys, forced RLS, and transaction-local actor context. | Implemented · internally verified pgTAP RLS policy suite · as of 2026-07-14 |
| CON-001 Connector updates do not silently expand existing grants. | Versioned snapshots pause changed tools and hide new tools. | Implemented · internally verified Connector drift state-machine tests · as of 2026-07-14 |
| GRD-001 Guardrails can deny, require approval, or safely transform MCP traffic. | Default-deny pre/post dispatch pipeline with schema revalidation. | Implemented · internally verified Guardrail aggregation, SSRF, disclosure, and gateway tests · as of 2026-07-14 |
| REC-001 Pilot recovery objectives are six-hour RPO and four-hour RTO. | Daily managed backups plus six-hour encrypted logical exports. | Implemented · internally verified Recovery configuration and restore-exercise runbook · as of 2026-07-14 |
| PRV-001 Product analytics honors DNT, Global Privacy Control, and consent. | Provider-neutral telemetry gate blocks analytics unless allowed. | Implemented · internally verified Telemetry privacy contract tests · as of 2026-07-14 |
| ARC-001 Historical audit exports use retention-protected object storage. | KMS-encrypted S3 Object Lock with dual JSONL/Parquet export. | Implemented · internally verified OpenTofu plan and archive format tests · as of 2026-07-14 |
| WEB-001 Outbound product events use one signed, durable webhook contract. | CloudEvents 1.0 outbox delivery with ordering, bounded retry, dead letters, and audited replay. | Implemented · internally verified pgTAP delivery suite and Rust worker/transport contract tests · as of 2026-07-14 |
| EXT-001 Independent penetration testing is required before production use. | Production readiness gate and remediation tracking. | Planned · not yet verified Pending external engagement · as of 2026-07-14 |
Responsible disclosure
Email security@govna.io. Include impact, reproduction steps, and a safe way to contact you. Do not access another tenant’s data or disrupt service.