Security Posture

Protected where it matters. Honest where it is not magic.

The staffing OS uses Skyegate FS27 token exchange, HttpOnly sessions, admin role checks, protected record APIs, and gated document upload/download functions.

  • Admin APIs reject unauthenticated requests.
  • Admin role enforcement is handled by the backend functions.
  • Session cookies are HttpOnly and scoped to the staffing site.
  • Uploads enforce file type and size limits.
  • Do not collect regulated payroll, I-9, tax, medical, or background-check documents until retention and compliance are approved.
  • The live brain is authenticated, but the model endpoint must be configured before production use.
  • Government, insurance, certification, and legal claims must stay verified.

Proof

The protected records API was tested from both sides.

Authenticated operator requests returned summaries. Unauthenticated requests returned a Skyegate FS27 auth-required response.

access check
200 authenticated summary
401 unauthenticated records API
PASS secure file upload behind admin session