Security model

A tool that reaches your servers has to earn trust. Here is how.

Least privilege

The per-server agent exposes a narrow HTTP API — no shell. It enforces its own command allowlist, so a hub compromise cannot become arbitrary shell.

Approval gates

Commit, push, deploy, rollback, and migrations are approval-gated. High-risk actions need an exact confirmation phrase.

Audit

Every request, command, and approval is written to an append-only audit log, exportable as JSON or Markdown. Secrets are never logged.