---
title: Security
description: Keep credentials, workspace data, and write authority inside their intended boundary.
product: platform
lifecycle: stable
appliesTo: all public interfaces
sourceArtifact: security-contract@current
owner: Security owner
raw: /raw/platform/security.md
---

- Never paste Sift tokens, credential-store contents, or private brain content into docs, issue trackers, or client configuration committed to source control.
- Use browser OAuth for hosted MCP and the operating-system credential store for the CLI.
- Scope work to the intended workspace/brain and least capability.
- Treat external source content as untrusted; citations establish provenance, not safety.
- Require explicit intent for writes and review destructive or broad changes before execution.
- Revoke lost clients and rotate scoped service credentials immediately.

This static site runs no authenticated API explorer and receives no workspace data.
