Security at WeaveOS

We design for adversarial conditions from the start. Our threat model assumes that any single layer can be compromised — so we layer controls such that a breach at one layer cannot cascade into a full system compromise or fund loss. Key principles:

• Defence in depth. Multiple independent controls protect every critical operation. A compromised off-chain verifier cannot drain escrow funds because the Move smart contracts enforce independent invariants on-chain.
• Cryptographic finality. Settlement logic lives in audited Move smart contracts on the Sui blockchain. Once a settlement is verified and recorded on-chain, no off-chain actor — including us — can alter or reverse it.
• Least privilege. Every service, API key, and database credential is scoped to the minimum permissions required for its function. We do not use shared root credentials anywhere.
• Transparency. We disclose our security architecture publicly (this page), publish smart contract source code, and maintain a responsible disclosure programme.

Sui Move Smart Contracts

All settlement logic is implemented in the Sui Move programming language, which provides strong resource safety and type guarantees. Our smart contract package enforces:

• Phantom-typed escrow that cannot be accidentally released to the wrong coin type.
• On-chain invariant checks: all split recipients must be registered in the ProviderRegistry, the sum of all splits cannot exceed the escrowed amount, the platform fee cannot exceed its configured cap, and no self-payment is permitted.
• A dispute window during which settlement is blocked, allowing customers to raise challenges before funds are released.
• Permissionless settlement: anyone can trigger settlement after the dispute window closes, preventing WeaveOS from unilaterally delaying payouts.
• All-or-nothing atomicity: settlement is executed in a single Programmable Transaction Block. Gas exhaustion or any failure reverts the entire transaction — no partial payments are possible.

Attestation and Outcome Verification

Outcome verification runs inside a Trusted Execution Environment (AWS Nitro Enclave in production). The enclave:

• Evaluates the success criteria you configured against the actual workflow output — without the host OS being able to observe the computation.
• Signs the attestation payload with a private key that never leaves the enclave’s encrypted memory.
• Commits all evidence blobs (outcome, trace, proof) to Walrus, recording tamper-evident content hashes on-chain.

The Move contract verifies the enclave’s attestation before permitting settlement. A compromised application layer cannot forge a valid attestation without access to the enclave’s key — and even then, Move-side invariants remain independently enforced.

Encryption in Transit

• All traffic between your browser or SDK and our platform is encrypted using TLS 1.3.
• We enforce HTTPS everywhere; plain HTTP requests are redirected.
• API endpoints are served over HTTPS with HSTS enabled.

Encryption at Rest

• Our managed Postgres database (Neon) encrypts all data at rest using AES-256.
• Workflow artifacts and outcome evidence stored on Walrus are content-addressed — any tampering changes the blob hash, which is independently verifiable against the on-chain record.
• Secrets (API keys, database credentials, signing keys) are managed via environment variable isolation — never hardcoded in source code or committed to version control.

Credential Security

• Passwords are stored as salted bcrypt hashes. Plaintext passwords are never written to disk, logs, or databases.
• API keys are hashed before storage; only the prefix is stored in recoverable form for display.
• Session tokens are rotated on each authentication event.

• TypeScript strict mode is enforced across all application code, eliminating a broad class of type-confusion bugs.
• Input validation is applied on every API endpoint before data is processed or persisted.
• Rate limiting is applied to all public and authenticated endpoints to mitigate brute-force and abuse.
• Content Security Policy headers restrict which resources the browser can load, mitigating cross-site scripting.
• CSRF protection is enforced on all state-changing requests.
• Dependency management: we use automated dependency scanning and apply security patches promptly. Direct dependencies are pinned to reviewed versions.
• No secrets in logs: our logging configuration explicitly redacts credential, key, and token fields from all log output.

Our production infrastructure is hosted on Vercel (application layer) and Neon (database), both of which provide:

• DDoS mitigation and global edge network distribution.
• SOC 2 Type II certified environments.
• Automated backups with point-in-time recovery.
• Private networking for database connections — the database is not exposed to the public internet.

• Production systems are accessible only to engineers with a business need. Access is reviewed quarterly and revoked immediately upon role change or departure.
• Multi-factor authentication (MFA) is required for all admin and production access.
• All access to production data is logged and auditable.
• Database access uses dedicated credentials per service role, scoped to the minimum required permissions.

We operate a responsible disclosure programme and welcome reports from security researchers. If you discover a vulnerability in the WeaveOS platform, smart contracts, or infrastructure, please report it to us privately before public disclosure.

How to report

• Email: security@weaveos.xyz
• Include a description of the vulnerability, steps to reproduce, and the potential impact.
• Encrypt sensitive reports using our PGP key (available on request).

Our commitments to researchers

• We will acknowledge receipt within 2 business days.
• We will investigate and provide an initial assessment within 7 business days.
• We will work with you to understand and resolve the issue before public disclosure.
• We request a 90-day coordinated disclosure window from the date we confirm the issue.
• We will not pursue legal action against researchers who follow this responsible disclosure process in good faith.
• We acknowledge all confirmed, valid vulnerabilities in our public Security Hall of Fame.

We maintain a documented incident response plan. In the event of a security incident:

• Detection and triage — automated alerting triggers on anomalous activity. All alerts are triaged within 4 hours during business days.
• Containment — affected systems are isolated and credentials are rotated as required.
• Analysis and remediation — root cause analysis is conducted and the fix is deployed before affected systems are returned to service.
• Notification — affected users are notified within 72 hours of a confirmed breach that creates a material risk to their data or funds. Where legally required, we notify relevant supervisory authorities within the same window.
• Post-incident review — a written post-mortem is completed within 14 days of every significant incident.

In accordance with our commitment to transparency, we declare all data points collected by the WeaveOS platform:

• Identity data: full name, business email address, company name, job title.
• Authentication data: hashed password, session tokens, MFA device identifiers.
• Network data: IP address, referring URL, exit URL.
• Device and browser data: browser type and version, operating system, device type (desktop/mobile), screen resolution.
• Usage and analytics: pages visited, features used, API calls made (endpoint, timestamp, response code), workflow counts, error occurrences.
• Workflow execution data: inputs and outputs submitted to AI workflows, token counts, tool call records, execution duration, cost attribution data.
• Blockchain data: Sui wallet addresses, transaction hashes, on-chain object IDs, USDC amounts, settlement records.
• Storage data: Walrus blob IDs and SHA-256 content hashes for outcome artifacts.
• Billing data: subscription plan, invoice history, GMV amounts, USDC payout records. We do not collect or store credit card numbers.
• Communication data: messages sent via contact form or email to our team addresses.
• Cookies: strictly necessary session cookies, preference cookies, and analytics identifiers. No cross-site tracking cookies.

We do not collect: location data beyond country-level IP geolocation, photos or camera access, microphone or audio data, contacts, calendar data, biometric data, or health information.

For security-related matters, contact our security team at security@weaveos.xyz. For privacy matters, see our Privacy Policy. For all other enquiries, reach us at team@weaveos.xyz.