Join waitlist
Security

How AutoInk
is actually built.

The list below is a snapshot of security properties live in the codebase today — not slogans, not roadmap. Each one corresponds to a package, a migration, or a configuration we can point to on request. What's still on the roadmap is clearly labelled in its own section.

What's in place today

Five pillars,
each with named code paths.

Identity, data, outbound traffic, billing integrity, and application hardening — the five surfaces a content-pipeline product has to get right.

Identity and access

  • Argon2id password hashing with per-installation pepper — never plaintext, never reversible
  • Optional TOTP MFA on every account, not gated to a paid tier
  • OAuth via Google, GitHub, and Microsoft — first-party flow with PKCE and state-bound CSRF cookies
  • Three-bucket login throttling (per-pair, per-IP, per-email) survives credential-stuffing botnets
  • Sessions atomically rotated on password change — old sessions invalidated in the same DB transaction
  • Have-I-Been-Pwned k-anonymity check on signup, fail-open with explicit operator switch

Data protection

  • AES-256-GCM application-layer encryption on every credential AutoInk stores (CMS tokens, OAuth tokens, GitHub installation IDs)
  • TLS in transit, AES-256 at rest at the database layer
  • Postgres parameterised queries throughout — no string-concatenated SQL, period
  • Multi-tenant SQL guards: every workspace-scoped query carries an owner_workspace_id predicate, enforced by integration tests

Outbound safety

  • Every outbound HTTP request that accepts a user-supplied URL goes through the safenet package
  • DNS resolution → IP validation → dial the resolved IP directly, defeating DNS rebinding
  • Refuses private, loopback, link-local, CGNAT, and IETF-reserved ranges across IPv4 and IPv6
  • Redirect chains re-enter the same guard, every hop
  • Post-publish hooks run with argv arrays only — no shell, no string interpolation, no command injection surface

Billing integrity

  • Double-entry ledger with hash-chained immutable transactions — tampering detected by chain verification
  • Daily attestation signed with ECDSA, verifiable independently of the database
  • Reserve-and-settle on every paid action so client disconnects, crashes, and retries can't drift the balance
  • Daily reconciliation across eight providers (Anthropic, OpenAI, Google, DeepSeek, Perplexity, xAI, DataForSEO, Stripe); drift over 5 % triggers an operator alert
  • 100 % mutation-test score on the ledger module (151 / 151 mutants killed)

Application hardening

  • Global maximum request body of 10 MiB, enforced by middleware ahead of any parser
  • Image uploads validated by magic-byte signature, not Content-Type header
  • /uploads directory: directory listing returns 404; X-Content-Type-Options: nosniff on every file
  • Security response headers on every response: nosniff, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, HSTS when cookies are Secure
  • Strict JSON decoding rejects unknown fields with a 400 — no silent data drop, no attribute injection
  • Trusted proxy hop count is explicit (TRUST_PROXY_HOPS); X-Forwarded-For from outside the trust window is ignored
What's not done yet

The honest roadmap.

A few common enterprise asks aren't shipped yet. We won't claim them until they are.

SOC 2 Type II
Planning
Type I scoping starts when the first enterprise contract closes. We track the underlying controls already; the audit cycle is the gating cost.
Per-workspace SSO (OIDC)
Design done
Specced in auth-roadmap.md AP4. Implementation kicks off with the first signed enterprise customer.
SAML 2.0 + SCIM 2.0
Design done
Decision pending: build vs. integrate (BoxyHQ Jackson sidecar). Same trigger as SSO.
Fine-grained RBAC
Design done
Current model is owner / member per workspace. Project-level roles ship after SSO traffic stabilises (single-direction door).
Customer-managed encryption keys
Future
Asked for once so far. We'll scope it when there's a serious request — meanwhile every credential is application-encrypted with a per-installation key.
Responsible disclosure

Found something?
Tell us first.

Email security@autoink.io with reproduction steps. We acknowledge within two business days, share a remediation timeline, and credit you in the changelog if you'd like. We don't pursue good-faith research.

We don't run a paid bug bounty yet. We'd rather have one and run it well than launch one we can't service — that is on the roadmap once headcount supports it.

Join the AutoInk waitlist

We’re in private beta and onboarding in waves. We’ll email you as soon as a slot opens — usually within a few weeks.

We’ll only use this email to let you know when your slot opens. No newsletter, no sharing.