This is a one-page, honest account of how Proofmark is built and what it does not have yet, written for a security reviewer, before you have to ask. We are pre-launch, solo-founded, and not SOC 2 certified. What follows is architecture you can inspect, and the gaps stated plainly. The brand's rule is that every claim survives you reading the repo; this page holds itself to that.
Connectors request read-only OAuth scopes and never write back to Google Drive, Discord, or Slack. The one permitted write is posting a Review-Queue notification via bot: messaging, not source mutation.
invariant #6 · connectors/*
Connector tokens are Fernet-encrypted (services/secrets.py),
never returned to a client or written to logs. The OAuth callback is session-less: it
trusts an HMAC-signed, expiring state, not a cookie.
services/secrets.py · connector_oauth
Phase 1: an ACL-fingerprint pre-filter at retrieval. Phase 2: a per-item SpiceDB relationship check (ReBAC) on everything returned or cited. Nothing reaches a user or an agent unchecked: the same on the search path and the engine path.
invariant #5 · phase 2 requires SpiceDB configured
Every table carries tenant_id; request sessions run under
Postgres row-level security via the app.tenant_id GUC. Request-path
queries never run on a raw engine connection.
invariant #4 · get_db RLS
Agents read the record over MCP through the governance layer, never the engine directly, never with write access. Every tool call is recorded in the hash-chained audit log; skill reads refuse rather than skip the audit. Both authz phases run on everything returned or cited, and every citation carries its credential: badge, named attestor, date, version, and a link back to the source. Callers can narrow to verified-only.
mcp/server.py · read-only by design (no write tools exist)
Each entry hashes the previous entry plus the actor, action, subject, the authorization snapshot, and the timestamp. A live endpoint recomputes the entire chain, so a forged or altered row fails verification: permission decisions are tamper-evident, not merely logged. Appends serialize per tenant so concurrent writers can't fork the chain.
GET /api/v1/admin/audit/verify · audit.py _entry_hash_v2
The audit log, attestations, and knowledge-unit events have no UPDATE or DELETE code paths. Verified content is immutable per version: edits mint a new version through the single write path, they never overwrite in place.
invariants #1-#3
Raw source never enters the retrieval engine. It lives in
source_documents, envelope-encrypted per document (master key → per-tenant
KEK → per-doc AES-GCM key). A right-to-erasure request destroys the key material and
cascades to the derived units, compiled skills, and open proposals, unrecoverable from
the live store. (Backup-immune erasure is the cloud-KMS opt-in, built but not yet
validated live. See gaps.)
services/kms.py · source_storage.py · invariant #7
| Gap | Status |
|---|---|
| SOC 2 | Not certified. Type I groundwork is a funded milestone, not a claim. |
| SSO / OIDC + SCIM | Built, adversarially reviewed, mock-IdP tested, but no live Okta/Entra round-trip demonstrated. We don't say "works with Okta" yet. |
| Connectors live end-to-end | Google Drive, Discord, Slack are built and unit-tested; a real OAuth-app + workspace round-trip hasn't been run. |
| Backup-immune erasure | Live erasure is crypto-shred today; the cloud-KMS provider that makes it backup-immune is built behind a flag, not yet validated live. |
| Phase-2 permission check | Requires SpiceDB configured (as production deployments are). Say so in any security-register copy. |
| Company & team | Pre-revenue, pre-launch, solo founder. The bus factor is real and named; first hires are post-raise. |
Most AI knowledge tools die in a vendor security review because they want broad read scopes, write access, and your trust. Proofmark is engineered the other way: read-only in, permissions checked twice, agents that can only read, an audit trail you can recompute, and erasure that destroys the key. It is not enterprise-certified yet, and this page says so. If your standard is "show me, don't tell me," the repo is the evidence, and that is the point of the whole product.
Proofmark reads read-only, checks permissions twice, and records every read in a hash-chained audit log.
Request access → Open the app →