> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gavai.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Security at gavAI

> Tenant isolation, scoped credentials, and coordinated disclosure — the three things you came here to verify.

export const PageMeta = ({audience, readingTime, prereqs, level}) => {
  const items = [audience && ({
    key: "audience",
    label: "AUDIENCE",
    value: audience
  }), readingTime && ({
    key: "time",
    label: "READ",
    value: readingTime
  }), level && ({
    key: "level",
    label: "LEVEL",
    value: level
  }), prereqs && prereqs.length > 0 && ({
    key: "prereqs",
    label: "PREREQS",
    value: prereqs.join(" · ")
  })].filter(Boolean);
  if (items.length === 0) return null;
  return <div className="gv-page-meta" role="group" aria-label="Page metadata">
      {items.map(item => <div className="gv-page-meta__item" key={item.key}>
          <span className="gv-page-meta__label">{item.label}</span>
          <span className="gv-page-meta__value">{item.value}</span>
        </div>)}
    </div>;
};

export const Path = ({icon, title, href, children}) => <a className="gv-choose-path__card" href={href}>
    {icon && <span className="gv-choose-path__icon" aria-hidden="true">
        <Icon icon={icon} />
      </span>}
    <h4 className="gv-choose-path__title">{title}</h4>
    {children && <p className="gv-choose-path__body">{children}</p>}
    <svg className="gv-choose-path__arrow" viewBox="0 0 24 24" width="14" height="14" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round" aria-hidden="true">
      <line x1="7" y1="17" x2="17" y2="7" />
      <polyline points="7 7 17 7 17 17" />
    </svg>
  </a>;

export const ChoosePath = ({eyebrow = "CHOOSE YOUR PATH", label, children}) => <section className="gv-choose-path">
    <div className="gv-choose-path__header">
      <Eyebrow label={eyebrow} />
      {label && <h3 className="gv-choose-path__label">{label}</h3>}
    </div>
    <div className="gv-choose-path__grid">{children}</div>
  </section>;

export const CTABanner = ({eyebrow, headline, subhead, ctaLabel, ctaHref, secondaryCtaLabel, secondaryCtaHref}) => <section className="gv-cta">
    <div className="gv-cta__copy">
      {eyebrow && <Eyebrow label={eyebrow} />}
      <h2 className="gv-cta__headline">{headline}</h2>
      {subhead && <p className="gv-cta__subhead">{subhead}</p>}
    </div>
    <div className="gv-cta__actions">
      {ctaLabel && ctaHref && <a className="gv-cta__button" href={ctaHref}>
          {ctaLabel}
        </a>}
      {secondaryCtaLabel && secondaryCtaHref && <a className="gv-cta__secondary" href={secondaryCtaHref}>
          {secondaryCtaLabel}
          <svg viewBox="0 0 24 24" width="12" height="12" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round" aria-hidden="true">
            <line x1="7" y1="17" x2="17" y2="7" />
            <polyline points="7 7 17 7 17 17" />
          </svg>
        </a>}
    </div>
  </section>;

export const ArrowItem = ({children}) => <li className="gv-arrow-item">
    <span className="gv-arrow-item__arrow" aria-hidden="true">{"↳︎"}</span>
    <span className="gv-arrow-item__content">{children}</span>
  </li>;

export const ArrowList = ({children}) => <ul className="gv-arrow-list">{children}</ul>;

export const BrandCard = ({eyebrow, title, href, icon, badge, cta, featured = false, horizontal = false, children}) => {
  const classes = ["gv-card", featured && "gv-card--featured", horizontal && "gv-card--horizontal"].filter(Boolean).join(" ");
  const inner = <>
      {icon && <span className="gv-card__icon" aria-hidden="true">
          <Icon icon={icon} />
        </span>}
      <div className="gv-card__main">
        {(eyebrow || badge) && <div className="gv-card__meta">
            {eyebrow && <Eyebrow label={eyebrow} tone="muted" />}
            {badge && <span className="gv-card__badge">{badge}</span>}
          </div>}
        <h3 className="gv-card__title">{title}</h3>
        {children && <div className="gv-card__body">{children}</div>}
        {cta && <span className="gv-card__cta">
            {cta}
            <svg className="gv-card__cta-arrow" viewBox="0 0 24 24" width="12" height="12" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round" aria-hidden="true">
              <line x1="7" y1="17" x2="17" y2="7" />
              <polyline points="7 7 17 7 17 17" />
            </svg>
          </span>}
      </div>
    </>;
  return href ? <a className={classes} href={href}>
      {inner}
    </a> : <div className={classes}>{inner}</div>;
};

export const Eyebrow = ({label, tone = "default"}) => <div className={`gv-eyebrow gv-eyebrow--${tone}`}>
    <span className="gv-eyebrow__bar" aria-hidden="true" />
    <span className="gv-eyebrow__label">{label}</span>
  </div>;

<Eyebrow label="SECURITY" />

<PageMeta audience="Developers, security reviewers, researchers" readingTime="3 min" level="Reference" />

You're evaluating gavAI for something that has to be right. This page is the index to the three things that determine whether it can be: how workspaces are isolated from each other, how tokens are scoped so a compromise stays small, and how we handle it when someone reports a vulnerability. By the end you'll know which page to read for your specific concern and the four design principles each one rests on.

If you're a developer integrating, the [scopes catalogue](/security/scopes) is the operational page — it lists every action verb and which endpoints they unlock. If you're a security reviewer or compliance team, [multi-tenant isolation](/security/multi-tenant-isolation) is the architectural page — it names the boundaries and what enforces each one. If you're a researcher, [disclosure](/security/disclosure) is the reference — in-scope buckets, response SLAs, where to send the report.

<ChoosePath label="Pick the page that matches your role">
  <Path icon="terminal" title="I'm integrating a service" href="/security/scopes">
    Every action verb, every scope name, every endpoint it gates.
  </Path>

  <Path icon="shield" title="I'm reviewing the architecture" href="/security/multi-tenant-isolation">
    The four isolation boundaries and what enforces each one.
  </Path>

  <Path icon="bug" title="I'm reporting a vulnerability" href="/security/disclosure">
    In-scope buckets, response SLAs, where to send the report.
  </Path>
</ChoosePath>

## The four design principles

Each page in this section is one consequence of these four. They are stated here once so you can hold them in your head while you read the rest.

<ArrowList>
  <ArrowItem>**Least privilege.** Every token carries an explicit scope set. Mint one key per integration and grant only the verbs that integration needs. A key that only lists pages should not also be able to delete them.</ArrowItem>
  <ArrowItem>**Defense in depth.** Isolation runs at four layers — the Worker boundary, the per-workspace database, credential scoping, and the URL surface. No single layer carries the full load; a defect in one doesn't collapse the others.</ArrowItem>
  <ArrowItem>**Explicit over implicit.** Access is declared, not inferred. Every endpoint names the scope it requires. Every key lists the scopes it holds. Nothing is implicitly granted by role, group, or convention.</ArrowItem>
  <ArrowItem>**Assume breach.** Rotate credentials on a schedule and immediately on suspected compromise. The platform supports zero-downtime key rotation so rotation never costs availability.</ArrowItem>
</ArrowList>

## Pick the page you need

<Columns cols={2}>
  <BrandCard eyebrow="ISOLATION" title="Multi-tenant isolation" href="/security/multi-tenant-isolation" icon="building-office-2">
    The boundaries between workspaces — Worker, database, URL, config — and what enforces each one.
  </BrandCard>

  <BrandCard eyebrow="SCOPES" title="Scopes and least privilege" href="/security/scopes" icon="key">
    Every action verb, every scope name, every endpoint it gates — plus how to mint a narrow key.
  </BrandCard>

  <BrandCard eyebrow="DISCLOSURE" title="Reporting vulnerabilities" href="/security/disclosure" icon="shield-exclamation">
    Coordinated disclosure: in-scope buckets, acknowledgment SLA, the 90-day window, where to send it.
  </BrandCard>

  <BrandCard eyebrow="AUTH" title="Authentication" href="/api-reference/authentication" icon="lock-closed">
    Token formats, OAuth 2.1 with PKCE, the token lifecycle, and the full error code table.
  </BrandCard>
</Columns>

## Reporting a vulnerability

If you find a security issue in the platform, the runtime, or the API, we want the report. The [disclosure policy](/security/disclosure) has the full process, the acknowledgment SLA, and the in-scope list. For urgent findings — anything involving cross-tenant access or credential exposure — skip the form and email [security@gavai.io](mailto:security@gavai.io) directly.

<CTABanner eyebrow="DISCLOSURE" headline="Found something? We'd like to hear about it." ctaLabel="Read the disclosure policy" ctaHref="/security/disclosure" />
