Skip to content

Security

This section covers the platform's security model: how a user's identity is established, how authorization is enforced, what capability tokens look like, where secrets live, and what is audit-logged.

  • Authentication — Google OIDC, sessions, Host-link bearer tokens.
  • Authorization — present-state principal-ownership model, target capability model.
  • Capability tokens — bus tokens, heartbeat tokens, NATS user JWTs.
  • Secrets — what the platform persists, what stays on the Device.
  • Audit logs — what is recorded today, what is target.

Source: projects/matrix-3/packages/system-auth/ and projects/matrix-3/packages/system-gateway-http/ are the implementation. WORKSTREAMS/product-launch/CONSTRAINTS.md C7-C8, C14, C16 set the security baseline.