API keys
Workspace-scoped runtime keys are revealed once and then managed as masked metadata.
Secrets policy
Never save API keys, cookies, private keys, database URLs, or production secrets into memory.
Transport
Public Cloud memory endpoints use HTTPS and bearer authentication.
Retention
Retention follows the active plan envelope. Treat it as operational policy, not a truth guarantee.
Compliance
No SOC 2, HIPAA, SAML, BYOK, VPC, or data residency claim is made here unless separately contracted.
DO commit: - product decisions - verified outcomes - public docs references - non-secret environment names DO NOT commit: - full API keys - cookies or session tokens - private keys - database URLs - raw customer secrets
