Proofmark · security posture · candid, not a packet

Built for the person whose job is to say no.

This is a one-page, honest account of how Proofmark is built and what it does not have yet, written for a security reviewer, before you have to ask. We are pre-launch, solo-founded, and not SOC 2 certified. What follows is architecture you can inspect, and the gaps stated plainly. The brand's rule is that every claim survives you reading the repo; this page holds itself to that.

published 2026-07 · 4 min read

What Proofmark reads, and how

SHIPPED

Read-only against source systems

Connectors request read-only OAuth scopes and never write back to Google Drive, Discord, or Slack. The one permitted write is posting a Review-Queue notification via bot: messaging, not source mutation.

invariant #6 · connectors/*

SHIPPED

Per-workspace tokens encrypted at rest

Connector tokens are Fernet-encrypted (services/secrets.py), never returned to a client or written to logs. The OAuth callback is session-less: it trusts an HMAC-signed, expiring state, not a cookie.

services/secrets.py · connector_oauth

Who can see what, checked twice

SHIPPED

Two-phase authorization on every result

Phase 1: an ACL-fingerprint pre-filter at retrieval. Phase 2: a per-item SpiceDB relationship check (ReBAC) on everything returned or cited. Nothing reaches a user or an agent unchecked: the same on the search path and the engine path.

invariant #5 · phase 2 requires SpiceDB configured

SHIPPED

Tenant isolation at the database

Every table carries tenant_id; request sessions run under Postgres row-level security via the app.tenant_id GUC. Request-path queries never run on a raw engine connection.

invariant #4 · get_db RLS

What agents get, and what they can't do

SHIPPED

Read-only MCP serving, every call audited, citations carry credentials

Agents read the record over MCP through the governance layer, never the engine directly, never with write access. Every tool call is recorded in the hash-chained audit log; skill reads refuse rather than skip the audit. Both authz phases run on everything returned or cited, and every citation carries its credential: badge, named attestor, date, version, and a link back to the source. Callers can narrow to verified-only.

mcp/server.py · read-only by design (no write tools exist)

Proving it wasn't tampered with

SHIPPED

Hash-chained audit log, independently verifiable

Each entry hashes the previous entry plus the actor, action, subject, the authorization snapshot, and the timestamp. A live endpoint recomputes the entire chain, so a forged or altered row fails verification: permission decisions are tamper-evident, not merely logged. Appends serialize per tenant so concurrent writers can't fork the chain.

GET /api/v1/admin/audit/verify · audit.py _entry_hash_v2

SHIPPED

Append-only by construction

The audit log, attestations, and knowledge-unit events have no UPDATE or DELETE code paths. Verified content is immutable per version: edits mint a new version through the single write path, they never overwrite in place.

invariants #1-#3

Raw source content & erasure

SHIPPED

Envelope-encrypted at rest; erasure is crypto-shred

Raw source never enters the retrieval engine. It lives in source_documents, envelope-encrypted per document (master key → per-tenant KEK → per-doc AES-GCM key). A right-to-erasure request destroys the key material and cascades to the derived units, compiled skills, and open proposals, unrecoverable from the live store. (Backup-immune erasure is the cloud-KMS opt-in, built but not yet validated live. See gaps.)

services/kms.py · source_storage.py · invariant #7

What we do not have yet, stated plainly

The gaps

GapStatus
SOC 2Not certified. Type I groundwork is a funded milestone, not a claim.
SSO / OIDC + SCIMBuilt, adversarially reviewed, mock-IdP tested, but no live Okta/Entra round-trip demonstrated. We don't say "works with Okta" yet.
Connectors live end-to-endGoogle Drive, Discord, Slack are built and unit-tested; a real OAuth-app + workspace round-trip hasn't been run.
Backup-immune erasureLive erasure is crypto-shred today; the cloud-KMS provider that makes it backup-immune is built behind a flag, not yet validated live.
Phase-2 permission checkRequires SpiceDB configured (as production deployments are). Say so in any security-register copy.
Company & teamPre-revenue, pre-launch, solo founder. The bus factor is real and named; first hires are post-raise.

The honest close

Most AI knowledge tools die in a vendor security review because they want broad read scopes, write access, and your trust. Proofmark is engineered the other way: read-only in, permissions checked twice, agents that can only read, an audit trail you can recompute, and erasure that destroys the key. It is not enterprise-certified yet, and this page says so. If your standard is "show me, don't tell me," the repo is the evidence, and that is the point of the whole product.

Proofmark reads read-only, checks permissions twice, and records every read in a hash-chained audit log.

Request access → Open the app →