Security
Security
Submicron Central System is an internal local-first application. Authentication, RBAC checks, approval gates, and audit logs are implemented inside the application before any exter
Use this when a safety, approval, permission, or governance decision is involved.
Current posture
Submicron Central System is an internal local-first application. Authentication, RBAC checks, approval gates, and audit logs are implemented inside the application before any external production integrations are introduced.
Access control
- Better Auth sessions identify the active user.
- Role permissions gate module pages and server actions.
- Import workflows use explicit permissions such as
imports.view,imports.manage,imports.approve,imports.execute,migration.view,migration.manage,source_truth.view, andsource_truth.manage. - Navigation visibility is not treated as authorization; server-side page loaders and actions enforce permissions.
Data safety
- Real CRM and product export files must stay local.
- The ignored folders are
imports/local/andprivate-imports/. - Local/private CSV and XLSX patterns are ignored by Git.
- Production secrets must not be committed.
Integration boundaries
The current system must not add live Google Drive sync, Gmail, WhatsApp, WooCommerce, AI import agents, or other external service integrations until a future approved sprint explicitly scopes that work.
Import safety
Controlled imports are approval-gated and audit logged. Duplicate rows are skipped or linked for review; records are not auto-merged. Existing populated fields are not destructively overwritten.
Developer Details
- Source
- apps/docs/content/security.md
- Owner
- Module Owner
- Status
- Current
- Module
- Security
- Related route
- None