Security
Security-first provisioning
Every design decision in Bootstrap SaaS prioritizes safety. From token cryptography to runtime isolation, here is how we protect your infrastructure.
Security properties
Token design
Provisioning tokens are the primary security boundary. Each token is:
- [1] Single-use. Once consumed by a machine, the token is invalidated immediately. Reuse is impossible.
- [2] Time-bound. Tokens expire after a configurable TTL (default 1 hour). Expired tokens are rejected at the edge before reaching the database.
- [3] JWT-signed. Claims are signed with RS256. The public key is rotated automatically and verified on every token validation request.
Data at rest
All persistent data lives in Cloudflare D1, a SQLite-based edge database. D1 encrypts data at rest using AES-256-GCM. In addition:
- ✓Token values are never stored in plaintext — only a SHA-256 fingerprint is kept for correlation.
- ✓Credential material (SSH keys, API tokens) is encrypted with a per-user key before storage.
- ✓Database backups are encrypted and retained for 7 days.
Audit trail
Every significant action generates an immutable audit event:
Token minted
Actor, profile, TTL, timestamp
Run started
Machine, token fingerprint, IP
Profile updated
User, diff summary, version
Auth event
Login, logout, provider
Safe allowlist
The agent only writes to a strict allowlist of paths. Arbitrary file system access is not permitted:
# Allowed paths
✓ ~/.config/
✓ ~/.ssh/
✓ ~/.zshrc, ~/.bashrc
✓ ~/.local/bin/
# Blocked paths
✗ /etc/*, /usr/*, /opt/*
✗ Arbitrary absolute paths
Edge isolation
The control plane runs on Cloudflare Workers, a V8-isolate runtime. Each request is handled in a fresh, sandboxed isolate with no shared state between tenants.
- ✓No long-lived processes or containers.
- ✓No filesystem access from the Worker.
- ✓Network egress restricted to public addresses only.
- ✓Request-level rate limiting prevents abuse.