Flowintent / proof
Loading security
Security
Private workspaces, sealed provider access, RBAC, reviewer-safe evidence, procurement checkpoints, and post-quantum readiness presented in a calm security surface.
Post-Quantum Badges
One view for private access, PQC posture, inventory, and approved proof.
A practical map of ML-KEM, ML-DSA, SLH-DSA, and migration controls.
Cryptographic assets and dependency signals before migration work starts.
Private execution context is filtered into approved reviewer-safe proof.
Data Privacy
Procurement Checklist
Post-quantum readiness matters, but procurement first needs direct answers on auth, RBAC, key handling, audit posture, retention, compliance status, and disclosure process.
Area
Status
Auth.js v5 with credentials and optional GitHub OAuth
Detail
SAML/OIDC enterprise SSO should be treated as pilot or enterprise scope unless separately enabled.
Area
Status
Permission-based roles
Detail
Admin access requires `admin.access` and fresh DB-backed session checks.
Area
Status
Server-side encrypted
Detail
Provider credentials and OAuth tokens are encrypted with AES-256-GCM through `QW_ENCRYPTION_KEY`.
Area
Status
Workspace and role gated
Detail
Private workspaces, provider setup, billing, admin notes, and draft records stay out of reviewer shares.
Area
Status
Run and review trail
Detail
Evidence pages can show circuit, source, result, trace, and certificate context without raw provider secrets.
Area
Status
Review during procurement
Detail
Confirm retention windows, deletion SLAs, backup policy, and region needs during enterprise pilot setup.
Area
Status
Roadmap, not certification claim
Detail
Do not infer SOC 2, ISO 27001, or provider certification unless a current signed report is supplied.
Area
Status
Security contact published
Detail
Use the public security contact for responsible disclosure and procurement security review.
Post-Quantum Crypto
The page now separates what is a product security boundary from what is a migration-readiness signal, so badges do not imply a third-party audit that has not happened.
FIPS 203
Primary NIST key-establishment standard for post-quantum migration planning.
FIPS 204
Primary NIST digital-signature standard tracked in readiness reviews.
FIPS 205
Stateless hash-based signature standard used as a diversity and backup signal.
Migration Shape
The security page now mirrors the 2026 migration conversation: discover cryptography, understand vendor ownership, keep algorithm choices agile, then expose only safe evidence.
Map public-key usage, certificates, dependencies, and exposed protocols before picking rollout scope.
Track which providers, SDKs, and hosted services control cryptographic implementation details.
Keep configuration, evidence, and provider routing ready for staged algorithm changes.
Show readiness state without exposing private keys, credentials, or admin-only records.
Review packets should carry enough context to verify a result without leaking provider keys, user records, admin notes, or billing state.