Security

Security & Privacy

Auth Worker issues first-party JWTs; API Worker validates via JWKS.
Tenant isolation is enforced in context and retrieval layers.
Least-privilege tokens for all services and queues.

Threat Model Snapshot

Risk
The highest risk is cross-tenant leakage through retrieval or logging.

Auth & Tenancy

  • PKCE login through Cloudflare Access OIDC.
  • Auth Worker issues short-lived access tokens and rotating refresh tokens.
  • API Worker validates JWTs and enforces tenant_id on every query.
Decision
We do not ship Access client secrets in the mobile app; the Auth Worker brokers all sensitive flows.

Data Retention & Privacy

  • R2 lifecycle policies for manuals and transcripts.
  • Audit logs retain evidence references, not raw PII.
  • Secure secrets storage via Worker secrets and scoped service bindings.
Mitigation
Redact or hash sensitive fields before logging, and store only what is required for audits.
Open questions / next steps: confirm retention periods, audit access policies, and security review cadence.