Security isn't a page in a sales deck — it's how the platform is built. Authorization is a matrix, sessions fail closed, and every action an operator takes, human or AI, is bounded and audited.
OIDC + MFA on every login. Masquerade and staff access are default-deny, time-boxed, and fully audited.
authz-matrix 18/18HSTS, CSP, and strict headers baked into one Caddy image — two edge modes, one artifact, no drift.
17/17 postureEvery institution gets its own data boundary and its own keys — no shared tenancy, no cross-FI blast radius.
isolated by defaultAI operators can diagnose and remediate infrastructure — they can never move money. Every action is bounded and reversible.
bounded · auditedOpenTelemetry, synthetic journeys, and per-FI dashboards ship with the platform, so posture is observable, not asserted.
observability built-inEvery change is a pull request and every deploy is one image — so git revert is a first-class incident response.
one image · git revertWalk through the authorization model, the edge posture, and the AI action boundaries with the people who built them.