walospublic

Security

This page summarizes the security controls that are implemented in the current Walos codebase today. It is intentionally narrower than a compliance or uptime statement.

Authentication

  • • Privy powers the primary hosted sign-in flow for the web app
  • • Server-side auth checks verify Privy-backed session state before protected pages render
  • • API keys are project-scoped and can be revoked independently of user login sessions

Credential Handling

  • • API keys are stored as scrypt hashes instead of plaintext
  • • Sensitive runtime secrets stay in environment variables and are excluded from source control
  • • Current security conventions and tradeoffs are documented in the repository security notes

Request Protections

  • • App Router responses set a managed Content Security Policy in middleware
  • • Server actions and request boundaries validate inputs before mutating state
  • • Query-gateway traffic is subject to request quotas and rate limiting

Current Scope

  • • Organizations, projects, and environments are modeled as separate control-plane boundaries
  • • Public uptime monitoring and incident feeds are still being rolled out
  • • This page intentionally summarizes controls that are implemented in the current codebase today
Reporting a vulnerability

If you discover a security issue, please email security@walos.xyz. We take all reports seriously.