Chatterfly
Security & Enterprise

Security you can audit

Chatterfly was designed with security as a first principle: per-tenant key derivation, append-only audit trails, short-lived scoped tokens, and a system architecture that makes cross-tenant mistakes structurally hard.

Core security controls

AES-256-GCM encryption

Every integration credential is encrypted with AES-256-GCM using a random nonce. Plaintext never reaches the database.

Per-tenant key derivation

Encryption keys are derived via HKDF-SHA256 from a master key using tenant ID as context. A compromise of one tenant's data does not expose another's.

JWT with JTI revocation

Short-lived access tokens (15 min) paired with 7-day refresh tokens. Every token carries a JTI that can be individually revoked. Silent rotation keeps sessions seamless.

Four-tier RBAC

Owner → Admin → Member → Viewer. Every API endpoint enforces a minimum role at the middleware layer. Role checks also live at the query layer.

Native multi-tenancy

Every table carries a non-nullable tenant_id foreign key. All queries are scoped at code generation time — cross-tenant reads are structurally impossible.

Append-only audit trail

PostgreSQL RULE-level enforcement blocks DELETE and UPDATE on the run timeline — even a compromised application account can't erase history. SHA-256 hash chain provides tamper evidence.

Rate limiting on all entry points

Token-bucket rate limiting on auth endpoints (10 req/min/IP), management API (per-tenant RPM quota), and public survey endpoints (configurable per deployment).

Zero-downtime key rotation

JWT_SECRET_PREVIOUS enables rolling key rotation without session invalidation. A re-encryption tool handles credential key rotation.

Scoped participant tokens

Human-in-the-loop reviewers receive a short-lived JWT scoped to a single workflow run and single role. One-time WebSocket upgrade tickets expire in 30 seconds.

Enterprise feature set

Everything included, no add-ons required

Identity & Access

  • OAuth 2.0 via GitHub and Google (extensible)
  • Password login with bcrypt hashing
  • JWT access tokens (15 min) + refresh tokens (7 day, silent rotation)
  • API key authentication — SHA-256 hashed, prefix-masked, revocable
  • Four-tier RBAC: owner / admin / member / viewer
  • Platform admin role for cross-tenant administration

Data Protection

  • AES-256-GCM encryption for all integration credentials
  • Per-tenant HKDF-SHA256 key derivation
  • Credentials never returned in API responses
  • Credential role scoping: platform / caller / participant
  • bcrypt password hashing
  • Zero dangerouslySetInnerHTML / eval() — XSS-free frontend

Audit & Compliance

  • audit_log table: tenant, user, action, resource, IP, metadata
  • run_timeline hash-chain integrity (SHA-256, per-step sequence)
  • Chain verification endpoint: GET /runs/:id/verify-chain
  • DB-level append-only enforcement via PostgreSQL RULEs
  • HITL session message log with full history
  • chi middleware.RequestID propagation for request tracing

Tenant Isolation

  • tenant_id FK on every resource table — enforced at DB level
  • All generated queries include AND tenant_id = $N
  • Middleware-enforced tenant resolution on every request
  • Cross-tenant mutations blocked at middleware and query layers
  • Teams model for group-level access delegation within tenants

Operational Security

  • HTTP server timeouts: Read 15s / Write 15s / Idle 60s
  • Rate limiting: auth (10/min/IP), management (per-tenant RPM), survey (configurable token-bucket)
  • OpenAPI import body size capped at 5 MB
  • ALLOW_DEV_AUTH bypass disabled in production
  • Zero-downtime JWT key rotation via JWT_SECRET_PREVIOUS
  • Credential re-encryption tooling (cmd/reencrypt)