Enterprise-grade scope governance with controlled data handling.
Role-based access, tenant isolation, immutable version history, SSO support, and secure deployment options.
Role-Based Access Granular space-level permissions.
- Space-level
client/view/edit/adminroles. - Policy-aware client visibility for versions and compares.
- Permission checks are enforced server-side for all protected actions.
Version Integrity Published versions are immutable.
- Deterministic version checksum per published version.
- Public verification link support for client-side integrity checks.
- Optional signature validation for enterprise deployments.
Audit Trail Full version history and activity tracking.
- Critical actions are captured in audit events with context fields.
- Filterable admin audit view and CSV export for investigation workflows.
- Immutable/append-only mode is available for stricter governance.
Deployment Control Cloud or self-hosted environments.
- Docker-based production deployment with health checks.
- Offline-capable self-host mode for isolated environments.
- Separate controls for company and superadmin security policies.
Credential Security Hashed passwords and secret isolation.
- Password and key values are stored as hashes.
- Secret values are configured through environment or secret stores.
- Security controls include cookie hardening and origin checks for POST requests.
Data Ownership Tenant-controlled storage and exports.
- Space boundaries are enforced for artifact access.
- Version exports and client packages are generated on demand.
- Backup and restore scripts support tenant-controlled recovery flows.
Technical appendix
Deep implementation details and compliance-oriented controls for vendor review.
- Tenant isolation by company scope and subdomain routing.
- Subdomain separation with host canonicalization and anti-injection checks.
- OIDC tenant binding in login state and callback validation.
- Domain verification governance for workspace discovery and provisioning.
- No cross-tenant session sharing for authenticated workspaces.
- Security headers baseline: CSP, HSTS, X-Frame-Options, X-Content-Type-Options.
- TLS posture target: SSL Labs grade A+ on production edge configuration.