Security

Security

Submicron Central System is an internal local-first application. Authentication, RBAC checks, approval gates, and audit logs are implemented inside the application before any exter

Use this when...

Use this when a safety, approval, permission, or governance decision is involved.

Current posture

Submicron Central System is an internal local-first application. Authentication, RBAC checks, approval gates, and audit logs are implemented inside the application before any external production integrations are introduced.

Access control

  • Better Auth sessions identify the active user.
  • Role permissions gate module pages and server actions.
  • Import workflows use explicit permissions such as imports.view, imports.manage, imports.approve, imports.execute, migration.view, migration.manage, source_truth.view, and source_truth.manage.
  • Navigation visibility is not treated as authorization; server-side page loaders and actions enforce permissions.

Data safety

  • Real CRM and product export files must stay local.
  • The ignored folders are imports/local/ and private-imports/.
  • Local/private CSV and XLSX patterns are ignored by Git.
  • Production secrets must not be committed.

Integration boundaries

The current system must not add live Google Drive sync, Gmail, WhatsApp, WooCommerce, AI import agents, or other external service integrations until a future approved sprint explicitly scopes that work.

Import safety

Controlled imports are approval-gated and audit logged. Duplicate rows are skipped or linked for review; records are not auto-merged. Existing populated fields are not destructively overwritten.

Developer Details
Source
apps/docs/content/security.md
Owner
Module Owner
Status
Current
Module
Security
Related route
None