Security

How we protect your manuscripts, and how to disclose a vulnerability responsibly.

Defense in depth

Every /api/* request goes through six independent layers. Failure of any one layer doesn't fail the system; failure of all six is what would.

1. Edge. Cloudflare-class WAF in production: bot fight mode, IP reputation, JA3 anomaly screening.
2. Request shape. Method allowlist per route family, body-size cap (4 KB to 64 KB depending on route), Content-Type enforcement, same-origin check on mutating routes.
3. Identity. Signed first-party cookies (HMAC-SHA-256 over a server-only secret). Authed sessions are server-rows; revoke cookie + revoke row.
4. Quota. Sliding-window per-cohort token bucket. Demo cohort has hard lifetime caps. Authed cohorts have per-minute / per-hour / per-day windows that scale with tier.
5. Behavioral. Honeypot fields, velocity heuristics (5+ LLM calls in 10 seconds = suspicious), repeat-prompt scrape detection, 24-hour cookie+IP bans on detection.
6. Cost circuit-breaker. A global daily Anthropic spend tally. When the cap (default $20/day, env-tunable) is reached, every LLM-bound route returns 503 with Retry-After until UTC midnight. The only deterministic guarantee that the bill cannot blow up overnight.

At-rest encryption

Provider keys (BYOK), OAuth access tokens, and any other secret stored in the database are encrypted with AES-256-GCM using a server-only keyring derived from SPINE_KEYRING_SECRET. Each ciphertext is independently authenticated (random IV per encryption). The plaintext never touches disk.

Transport

Production deploys must terminate TLS at the edge. Cookies are HttpOnly + SameSite=Lax + Secure in production. We recommend Strict-Transport-Security with at least a 6-month max-age; the deploy guide includes the recommended header set.

Auth + abuse

Passwords are hashed with scrypt (N=2^17, r=8, p=1). Login responses are constant-time-ish: a missing email still triggers a hash comparison so an attacker can't enumerate accounts by timing. Magic-link tokens are stored as SHA-256 hashes; the raw token is only in the email and the URL fragment. OAuth uses PKCE; the state cookie is HMAC-signed.

Disclose responsibly

If you find a vulnerability, please email support@rodyr.com. Acceptable proof-of-concept: a written description with reproduction steps. Please do not exfiltrate other users' data, leave persistent backdoors, or publish before we've patched. We commit to:

• Acknowledge within 72 hours.
• Triage and assign a severity within 7 days.
• Patch and deploy within 30 days for high/critical issues; longer for low-severity.
• Credit you in the changelog with your consent.

We don't yet run a paid bounty program; we'll mention you in the release notes and send Spine swag. Out-of-scope: social-engineering attacks against staff, denial-of-service tests against production, and physical-security probes.

Spine by Argonode Studio · A brand of Rodyr, Inc. · Registered office: 1111B S Governors Ave Suite 55111, Dover, DE 19904, United States.