Security Overview
API Keys
Secrets Management
Network Security
Agent Sandboxing
Audit Logs

Security Overview

API Keys

Keys are hashed (SHA-256) before storage — never stored in plaintext
Each key has a unique prefix sx- for identification
Keys can be scoped per organization
Expiration dates supported

Secrets Management

Production secrets are managed via Azure Key Vault:

Database passwords
API keys for LLM providers
OAuth client secrets
Stripe keys

Network Security

All traffic over HTTPS/TLS (Azure Container Apps + Cloudflare)
Internal services communicate over the Azure Container Apps internal network (no public exposure)
The Orchestrator is internal-only — no direct public access

Agent Sandboxing

Agents run in sandboxed git worktrees:

Each agent has read/write access only to its own worktree
No access to host filesystem outside worktree
Commands are allowlisted: git, python, npm, cargo, go, make

Audit Logs

All agent actions are logged to ~/.synapsex/audit.jsonl:

{ "ts": "2026-04-06T12:00:00Z", "agent_id": "...", "action": "file_write", "path": "src/auth.py" }

Slack Integration Authentication