Security Posture
I keep the protected rooms protected, and I do not fake what is not ready.
I built the security story around the Skyegate FS27 gate, HttpOnly sessions, admin role checks, protected record APIs, upload vault rules, proof receipts, and honest limits.
- Admin APIs reject unauthenticated requests.
- Admin role enforcement is handled by the backend functions.
- Session cookies are HttpOnly and scoped to the staffing site.
- Uploads enforce file type and size limits.
- Do not collect regulated payroll, I-9, tax, medical, or background-check documents until retention and compliance are approved.
- The live brain is authenticated, but the model endpoint must be configured before production use.
- Government, insurance, certification, and legal claims must stay verified.
Proof
We test the gate from both sides before we call it protected.
Authenticated operators can enter the command room. Unauthenticated requests hit the Skyegate FS27 gate and stay outside the records route.
200 authenticated summary
401 unauthenticated records API
PASS secure file upload behind admin session