Security

A short list of what we do, written for the technical reader. The full threat model lives in our internal docs and is shared on request.

Multi-tenant isolation

Shared schema, `tenant_id` on every relevant row, three layers of defense: the repository layer enforces tenant scoping; per-connection session variable (`SET @hydra_tenant_id`) belt-and-braces the WHERE clause; and a cross-tenant test suite tries every public surface with the wrong tenant.

Agent connection direction

The agent dials out to us. Your machines never accept inbound control traffic. We pin our TLS certificate's SPKI in the embedded binary, so a rogue CA can't MITM us. The shipped binary is signed with cosign (or minisign); the install script verifies before running.

Authentication

Email + password via argon2id; TOTP and SMS 2FA out of the gate; passkeys land in phase 4. OAuth via Hep.gg Account (OIDC) with strict ID-token verification (iss, aud, alg, exp, nonce). API keys are stored as argon2id hashes; the plaintext is shown once on creation.

Operator support sessions

Our staff can impersonate a tenant member to debug their issue. Every action during such a session is flagged in the activity log; the dashboard shows a persistent banner; the tenant owner gets an email when the session starts; the session auto-expires.

Secrets at rest

libsodium secretbox with a per-class key derived from a master key. Database host passwords, OAuth refresh tokens, node credentials. Plaintext never lands in the database.

Reporting

Security reports to security@hep.gg. We respond within one business day.