Security Model

Aletheia is strongest when auth and retrieval scope are treated as first-class system boundaries.

Hosted platform guidance

• Never trust payload scope alone.
• Apply tenant and project claims before retrieval.
• Keep audit logs for ingest, query, and delete.
• Expose request IDs for traceability.

Release guidance

• Publish checksums for downloadable binaries.
• Prefer signatures for release artifacts.
• Keep the OpenAPI contract versioned alongside engine releases.

Product guidance

The platform repo is where your public trust story should live:

• docs
• changelog
• sign-up and login
• API key management
• status and release notes later