Security

Joule Atelier is built around three rules: keep secrets in the OS keychain, isolate tenants at the database layer, and make every privileged action auditable.

Tenant isolation

Every tenant-scoped row in our Aurora-backed cloud carries an org_id column with a row-level security policy. Application handlers run inside a session that sets app.current_org_id from a verified WorkOS-issued JWT — there is no in-memory filtering that could be bypassed.

Credential storage

• BYOK API keys: stored in your OS keychain (macOS Keychain, Windows Credential Manager, libsecret).
• Cloud database credentials: AWS Secrets Manager with IAM-scoped access; least-privilege service roles.
• Webhook signing secrets: HMAC-SHA256 verification with constant-time comparison.
• No long-lived credentials in the desktop app or CLI; every call carries a short-lived device token.

Network

Every public endpoint is TLS 1.2+ via ACM, behind an ALB. Local MCP servers communicate over stdio only — there is no network listener on your machine. The hook bridge listens on a Unix domain socket with file permissions scoped to your user.

Audit logging

Every mutation, blocked tool call, and policy decision is recorded in an append-only audit log scoped to your org. Audit export is available on Enterprise. We never collect prompt or response bodies in the cloud unless you explicitly enable cloud reflections.

Responsible disclosure

Found something? Email security@jouleatelier.com with reproducer steps. We acknowledge within 48 hours and credit you in the release notes if you’d like.