Security
Public website, protected runtime, no plaintext secrets.
Product pages, docs, pricing, downloads, and the commercial portal are public-facing. Customer console, settings, report exports, evidence, gate mutations, production artifacts, and customer runtime data stay in the protected self-hosted runtime.
Public
Website, pricing, docs, changelog, status, trial installer, commercial portal, and public OpenAPI reference.
Protected
Customer console, settings, API tokens, report exports, evidence records, connector config, policies, and runtime audit trails.
Secret rules.
Never commit plaintext secrets, kubeconfigs, registry passwords, or OIDC client secrets.
Console settings show secret-backed status only, never values.
Pipeline starts in shadow mode before advisory or enforce.
Customer owner billing surface is separate from customer runtime.
Security controls
ControlPublic route split
Applies toWebsite, docs, pricing, download, changelog, login entry
Expected behaviorPublic content only. No customer runtime state or private evidence.
ControlCommercial portal
Applies to/portal on releasepassport.com
Expected behaviorSubscription, checkout, license, package/download access, and billing handoff only.
ControlProtected customer runtime
Applies to/console, /settings, /account, report exports, passport detail on customer domain
Expected behaviorRequires customer session and workspace membership.
ControlToken-gated mutation
Applies toGate evaluation and evidence ingestion
Expected behaviorBearer tokens are scoped and fail closed when missing or invalid.
ControlSecret-backed config
Applies toOIDC, payment provider, registry, connector tokens, database, storage
Expected behaviorUI shows status only; values stay in env/SOPS/secret manager.
ControlWebhook signature
Applies toPayment provider billing webhook
Expected behaviorOnly signed successful payment events can activate production entitlement.
ControlSanitized reports
Applies toJSON, CSV, Markdown exports
Expected behaviorNo tokens, kubeconfigs, private keys, payment keys, or raw secret values.
ControlScoped connectors
Applies toOrchestration, metrics, logs, CI/CD/GitOps, incidents/errors
Expected behaviorRead only configured namespaces, projects, apps, queries, jobs, services, and release scopes.
ControlOwner separation
Applies toBilling/license/package entitlement
Expected behaviorOwner app is not installed in customer self-hosted package.
| Control | Applies to | Expected behavior |
|---|---|---|
| Public route split | Website, docs, pricing, download, changelog, login entry | Public content only. No customer runtime state or private evidence. |
| Commercial portal | /portal on releasepassport.com | Subscription, checkout, license, package/download access, and billing handoff only. |
| Protected customer runtime | /console, /settings, /account, report exports, passport detail on customer domain | Requires customer session and workspace membership. |
| Token-gated mutation | Gate evaluation and evidence ingestion | Bearer tokens are scoped and fail closed when missing or invalid. |
| Secret-backed config | OIDC, payment provider, registry, connector tokens, database, storage | UI shows status only; values stay in env/SOPS/secret manager. |
| Webhook signature | Payment provider billing webhook | Only signed successful payment events can activate production entitlement. |
| Sanitized reports | JSON, CSV, Markdown exports | No tokens, kubeconfigs, private keys, payment keys, or raw secret values. |
| Scoped connectors | Orchestration, metrics, logs, CI/CD/GitOps, incidents/errors | Read only configured namespaces, projects, apps, queries, jobs, services, and release scopes. |
| Owner separation | Billing/license/package entitlement | Owner app is not installed in customer self-hosted package. |