Security

Understand transport encryption, storage encryption, and key access patterns.

Overview Git Host Integration

Transport Encryption Flow

CLI / Dashboard
    |
    | 1) Generate AES key
    | 2) Encrypt request body (AES-256-GCM)
    | 3) Encrypt AES key with server RSA public key
    v
Server API
    |
    | 4) Decrypt AES key (RSA private key)
    | 5) Decrypt request body
    | 6) Process request
    | 7) Encrypt response body back to client
    v
CLI / Dashboard

Environment Storage Encryption Flow

Incoming .env payload
    |
    v
Server decrypts payload
    |
    v
Re-encrypt with projectKey
    |
    v
Upload encrypted blob to object storage
    |
    v
Store blob URL + version metadata in database

Operational Security Tips

Keep JWT secret, Redis credentials, and private keys out of source control.
Use least-privilege IAM and OAuth scopes for deployment integrations.
Rotate credentials when team membership changes or after suspected leakage.
Use changelogs on push for auditability.