Security & access control

Roles, permissions, synthetic safety, Mender governance, and tenant isolation for Molar Guard.

Security & access control

Molar Guard holds a GitHub App key that can read and write your repositories, runs synthetic users against live production (including payment paths), and executes an autonomous LLM agent (Mender) that opens code PRs. Security rigor matches CI/CD infrastructure providers — not typical low-stakes SaaS.

Trust center: contact support@molar.it for SOC 2 report and security questionnaire.


Threat model summary

RiskMitigation
GitHub App key compromiseSecrets manager only; never in git; short-lived installation tokens
Real charges from syntheticsDefense-in-depth: is_synthetic DB column + middleware + test Stripe keys
Mender writes malicious codeForbidden paths, sandbox validation, human merge required, audit log
Cross-tenant data leakEvery query scoped by org_id; IDOR tests on all endpoints
Webhook forgeryHMAC-SHA256 + replay dedup + timestamp skew

Human roles

Guard inherits platform RBAC via Better Auth + @molar/auth-core.

RoleTypical holderKey permissions
OwnerFounder, VP EngEverything including billing, GitHub install, delete org
AdminDevEx leadSettings, schedules, Mender paths, members (not billing)
MaintainerEngineerRun scenarios, ack incidents, reject Mender, edit scenarios via PR
ViewerPM, supportRead dashboards and incidents; no mutations
Billing ManagerFinancePlan tier and Mender budget; no artifact access

Permissions highlights

ActionOwnerAdminMaintainerViewer
GitHub App install⚠️
Make check required
Scheduled checks CRUD
Ack / suppress incident
Mender apply → PR
Mender forbidden paths⚠️ cannot widen defaults
Audit log export
API key create/revoke

Cross-org access is denied for all roles.


Machine identities

IdentityScope
GitHub App (molar-guard[bot])Per-installation; checks + PR comments + read contents
Mender bot (molar-mender[bot])contents:write on fix branches only
Region workerWorkload identity (IAM/OIDC); no static shared secrets
MCP agent credentialScoped to single org; molar.rerun gated by capability flag

Revoke GitHub access by uninstalling the app or removing repos — Guard reconciles on installation webhooks immediately.


Session & API security

  1. Never store session tokens in localStorage / sessionStorage
  2. HttpOnly + Secure + SameSite cookies for browser sessions
  3. CSRF protection on cookie-authenticated mutating /v1 calls from dashboard
  4. Next.js middleware on monitoring, Mender, and settings routes
  5. Safe redirect validation on next query params after login
  6. API keys are hashed at rest; shown once at creation

MCP and CI use Bearer tokens, not dashboard cookies.


Synthetic safety (production)

Before enabling production schedules:

Mandatory controls

  1. Analytics filter acknowledgement — confirm synthetic users are excluded from your analytics and billing exports
  2. Synthetic middleware installed in your app
  3. is_synthetic column on users table + filtered analytics views
  4. Three request signals minimum: X-Synthetic-Source, client __MOLAR_SYNTHETIC__, DB flag

Money-flow blocking

Never rely on a single signal. Guard ships middleware that:

  • Swaps Stripe SDK to test keys for synthetic users
  • Routes Twilio to test credentials or Clone
  • Sinks email to Email Clone
  • Prefixes S3 uploads to _molar_synthetic/

MolarDestructiveCallError throws if PR-context code calls live api.stripe.com with live keys.

Cleanup

Synthetic data retention templates (7-day default) — customer runs cleanup SQL on their schedule.


Mender governance

ControlDetail
Human-in-the-loopMender never merges
Forbidden pathsauth, payment, security, migrations by default
Sandbox validationPatch must pass scenario in Docker + Clones before PR opens
Prompt injection defenseScenario files, DOM, HAR treated as untrusted; size-bounded context
Token budgetPer-org monthly cap; circuit breaker at 3 attempts/scenario/24h
Audit trailImmutable mender_attempts + export

Rejecting a Mender PR stores mender_rejections for RLHF — no customer code shared cross-org without opt-in.


Tenant isolation

Every resource is org-scoped:

  • Postgres queries: WHERE org_id = :currentOrg
  • Redis keys: guard:{orgId}:…
  • BullMQ queues: per-installation partition
  • Artifact paths: s3://…/guard/{orgId}/{runId}/…
  • Signed URLs: scoped to single run + action

Cross-tenant access is a Sev-1 incident by policy.


Webhook security

Inbound (GitHub): HMAC-SHA256, delivery ID dedup (24h), 25 MB body limit, 10-minute clock skew.

Outbound (alerts): Shared secret HMAC optional; use HTTPS endpoints only.

Signed URL actions (PR Approve/Reject): One-shot JWT, short TTL, bound to attemptId + orgId.


Secrets management

SecretStorage
GitHub App private keyAWS Secrets Manager / Vault — not plaintext env on disk
API keysHashed in Postgres
BYOK LLM keysEncrypted integration row; never in logs or BullMQ payloads
Webhook secretsEnv / secrets manager

Rotate keys via dashboard Settings → API keys and GitHub App settings.


Data classification

DataSensitivityRetention
Customer source (via GitHub)Crown jewelsDuration of install
Run artifacts (screenshots, HAR, video)May contain PII from UIPlan-based; configurable
Mender prompts/responsesConfidentialAudit log retention policy
Audit eventsCompliance1 year minimum

Guard is not in PCI cardholder scope (Stripe is processor) but handles credentials to customer production systems.


Compliance

  • SOC 2 Type II — target for enterprise customers (report on request)
  • Subprocessors — listed in trust documentation
  • GDPR — data export/deletion via support; org deletion workflow in API
  • Penetration testing — annual third-party cadence

Security contacts

ChannelUse
support@molar.itGeneral security questions
Security disclosureResponsible disclosure via support (PGP on request)

Hardening checklist for admins

  • Minimum two Owners per org
  • API keys scoped to least privilege; rotate quarterly
  • Production monitoring: analytics ack + middleware verified
  • Mender forbidden paths reviewed for your repo layout
  • Branch protection requires human review on molar-mender PRs
  • Alert webhooks use HTTPS + signature verification
  • Viewer role used for stakeholders who should not ack incidents

Next