Server-authoritative access
Subscription, device, and GitHub-connected capabilities are represented by cloud state rather than local claims.
Security posture
Crack-resistant, not unhackable
The security model is explicit about attacker capabilities. A determined local administrator can patch local checks, so authority, revocation, signing, and audit state stay server-side.
Signed entitlement documents
The desktop and MCP server can verify signed claims without receiving the signing private key.
Revocation-aware design
Offline access is bounded by an explicit window, trading usability for a known revocation delay.
Renderer token boundary
Raw provider tokens do not belong in desktop renderer code, localStorage, logs, or MCP process arguments.
Separate GitHub grants
GitHub login identifies a user; GitHub product connection authorizes repository/product features.
Evidence-first operations
Smoke, security smoke, packaging, and deployment verification scripts write explicit evidence and skips.
| Control | Current phase | Security purpose |
|---|---|---|
| OAuth separation | Designed, not implemented | Prevents GitHub login from silently becoming product repository authorization. |
| Signed entitlements | Designed, not implemented | Lets local components verify server-issued access claims without owning signing secrets. |
| No raw provider tokens in renderer | Required for desktop phase | Reduces exposure through logs, localStorage, devtools, and MCP arguments. |
| Evidence scripts | Implemented locally | Records what passed, what skipped, and what still requires external deployment. |