Security

PRAXIS keeps provider keys, Firebase Admin credentials, cookie-signing secrets, user-key master secrets, and billing secrets server-side only.

The production boundary is Next.js on Cloud Run, private backend services, Firebase Auth, Firestore and Storage rules, Cloud SQL for runtime ledgers, Secret Manager, and service-to-service OIDC.

User-supplied provider credentials are handled through server-side API routes and encrypted storage. Status APIs must not return plaintext secrets.

If any provider credential is exposed, rotate it immediately and report the exposure.

Report suspected vulnerabilities to security@tacitus.me with reproduction steps, affected routes, and expected impact.

Critical reports involving active exploitation, auth bypass, exfiltration, or public secret exposure are treated as urgent incidents.