§ Security

Tamper-evident by design.

Last updated · 2026-05-04

Yelt's security posture is the product, not a side feature. The audit ledger is cryptographically tamper-evident. The policy gateway evaluates deterministically. The control plane is multi-tenant via strict org-scoped queries. This page describes the substrate.

Audit ledger integrity

  • SHA-256 hash chain. Each audit event row contains a hash of its canonical payload plus a reference to the previous row's hash. Any silent edit to row N breaks every downstream row's chain link.
  • Append-only enforcement. Postgres triggers reject UPDATE and DELETE on audit_events. The constraint is at the database layer, not just the application.
  • Server-side hash assignment. The control plane assigns sequence numbers and timestamps; gateways cannot forge ordering or backdate events.
  • Independent verification. The yelt audit verify CLI runs offline against a JSON export. Auditors don't have to trust Yelt at verification time.

Multi-tenant isolation

  • Every customer-data table has an org_id column. Every read filters on it.
  • The withAuth wrapper rejects cross-org access at the route boundary; a 403, not a redirect, on cross-org probe.
  • Triggers enforce org integrity at the database layer: inserting an agent credential whose org_id doesn't match its agent's org_id is rejected even with direct SQL access.

Authentication

  • Humans. Supabase Auth: magic link, Google OAuth, GitHub OAuth. No passwords. Sessions are HTTP-only, secure, SameSite=Lax cookies.
  • Agents. Each registered agent has an Ed25519 signed credential. Rotation is supported with a 24-hour overlap window so deployments don't race the rotation.
  • Gateways. The Rust MCP gateway authenticates to the control plane with its own Ed25519 credential before subscribing to policy bundles or uploading audit events.

Data handling

  • At rest. Postgres encrypted at rest (Supabase managed). Sensitive secrets (per-customer Slack tokens, Stripe customer ids) are stored with column-level encryption via the application's encryption helper.
  • In transit. TLS 1.2+ everywhere. HSTS in production. The gateway uses signed envelopes for audit events; payloads are integrity-checked end-to-end.
  • Redaction. Tool-call payloads are redacted at the ingestion boundary. Customer PII inside agent outputs is stripped by the PII-block policy before logging.

Frameworks we map to

The audit ledger's control points are designed against the following control sets. Mapping reports are generated from the Audit tab's PDF export.

  • U.S. Treasury Financial Services AI Risk Management Framework
  • OWASP Top 10 for Large Language Model Applications
  • OWASP Top 10 for Agentic Apps
  • SOC 2 Type II (in progress; targeting Q4 2026)

Reporting a vulnerability

Email support@yelt.ai with subject prefix [security]. We'll acknowledge within 1 business day. We don't currently run a paid bounty; we credit reporters in the changelog when fixes ship.