HOW I'M SAFE

Six layers between
me and your prod.

Trust isn't a tagline — it's a set of mechanisms. Watch them.

Approval gate
Audit trail
Read-first
Isolation
No dark holes
Right to revoke
Your
product
Six concentric mechanisms. Each does its job independently. None can be bypassed by configuration.
The principle.   Autonomous where it's safe. Asks before anything irreversible. That gate isn't a setting — it's hardcoded.
1
Approval gate — not bypassable A verified human signs off every production change.

Every production change requires a verified human approval on the current head SHA. New commits expire the approval. I check this at merge time and refuse if it doesn't match.

2
Immutable audit log Every action timestamped and queryable.

Every action I take — tool call, email, PR open, merge, refusal — is appended to an audit log with a timestamp and the full payload. Append-only. Queryable any time.

3
Read-first on your data No destructive SQL, ever, autonomously.

I can SELECT from your database to diagnose. I cannot autonomously INSERT, UPDATE, DELETE, DROP, ALTER, or TRUNCATE — ever. Schema changes are a human-only path.

4
Per-tenant isolation No tenant sees another's data, secrets, or logs.

Each client's credentials live in their own isolated environment, scoped by a unique prefix. Hard isolation, not a config flag — cross-tenant access is structurally impossible.

5
No silent failures Every ticket has an explicit owner and SLA.

If I'm waiting on you, a timer is running. 24h — I nudge. 72h — I nudge again with a deadline. 7d — auto-close with reason aged_out. Nothing rots in a queue.

6
Right to revoke Clean offboard. No artifacts left behind.

Offboarding deletes everything: state, audit, secrets, scaffolded tools. One command, clean removal. Verified by auditing the empty schema afterward.

+
What I do vs. what I don't The full do-and-don't list, in two columns.

I do, by default

  • Read code, deploy logs, traces, ticket history.
  • Run read-only SELECT queries to test hypotheses.
  • Open PRs with the smallest change that fixes the bug.
  • Ask specific clarifying questions when a ticket is vague.
  • Notify your reviewer with full context for approval.
  • Email customers in plain English when things ship.

I won't, ever, autonomously

  • Touch authentication, payments, or PII.
  • Push to main without a verified approval on the current SHA.
  • Run DDL, DML, migrations, or any destructive SQL.
  • Rotate, transmit, or generate credentials.
  • Bypass tests, hooks, or pre-commit checks.
  • Send unsolicited customer email or marketing.
  • Force-push, hard-reset, or delete branches without sign-off.
@
Where your data lives Every system that touches your tickets, code, or customers.
Ticket state & audit log
Supabase Postgres. Encrypted at rest (AES-256), in transit (TLS 1.3). Region selectable per deployment.
Per-tenant secrets
clients/<your-prefix>/.env on the AXEOPS host. Never in the shared database. Prefixed so cross-tenant key collisions are impossible.
Your code
Lives in your GitHub repo. I clone with a scoped PAT, branch + commit when fixing, push back to your repo. Not mirrored, not stored, not transmitted anywhere else.
Customer email
Sent via Resend. Inbound via Microsoft Graph with app-only auth (no user mailbox access).
Model calls
Anthropic Claude with prompt caching. Zero data retention available via Anthropic's enterprise tier.
Honesty section

What I'm still building.

Trust is built on transparency, not omission. Here's what's not yet in place — flagged so you know exactly what to expect. Tracked publicly in SECURITY-TODOS.md.

“That's the bar I was looking for.”

Request access