Security architecture

Trust is a boundary, not a badge.

Fabric’s architecture treats every identifier, sync message, share link, upload, and AI tool call as untrusted until policy says otherwise.

Review Threat Model

Current status

Implemented controls, no external assurance claim.

The application includes scoped authorization, isolated runtime roles, hashed share tokens, and restricted realtime admission. This page does not claim independent penetration testing, compliance certification, or contractual service levels.

Threat model

The boundaries Fabric enforces.

The current application pairs concrete trust boundaries with server-side authorization, schemas, limits, and safe public responses.

Capability-based access
Protected routes resolve the principal and resource, then check the exact workspace or board capability instead of trusting UI state.
Scoped realtime tickets
Short-lived, board-scoped tickets, origin checks, revocation, quotas, and protocol permission checks protect room joins and updates.
Validated inputs
API contracts reject malformed board data, comments, identifiers, AI requests, and oversized bodies before repository writes.
Token-safe sharing
Share links use high-entropy tokens that are hashed at rest, scoped to one board, permission limited, expirable, and revocable.
Private asset storage
Asset routes require board access and enforce byte-signature, media-type, per-file, and per-board limits before Neon storage.
Constrained AI proposals
The current skill can only create theme frames and move selected objects; Fabric validates the patch and requires an authorized approval.

Request path

One policy model across every runtime.

Next.js handlers, the realtime service, and the AI worker bind every operation to authenticated resource identifiers and narrow capabilities.

  1. 01

    Authenticate

    Establish the user, device, or narrow share-link identity.

  2. 02

    Resolve scope

    Load tenant and resource inside the trusted data-access layer.

  3. 03

    Check capability

    Authorize the exact read, write, share, export, or tool action.

  4. 04

    Validate output

    Enforce schemas, quotas, redaction, and safe public responses.

Implemented safeguards

Checks on the active request paths.

  • Same-origin checks on state-changing HTTP routes
  • Workspace and board capability checks inside the data-access path
  • Realtime ticket expiry, origin validation, revocation, and update limits
  • Schema, body-size, file-signature, and storage-quota enforcement
  • AI response validation plus exact saved-state verification before completion

Assurance boundary

Know what is not asserted.

  • No security certification or regulatory compliance status
  • No published third-party penetration-test report
  • No contractual retention, deletion, backup, or uptime service level
  • No public incident-response or vulnerability-disclosure commitment
  • Deployment operators remain responsible for secrets, network controls, backups, monitoring, and provider configuration

Inspect the controls with the assurance boundary in view.

Fabric exposes implemented safeguards separately from certifications, contractual service levels, and deployment-operator responsibilities.