Security Model

The edge enforces route lookup, access policy, WAF/block rules, rate limits, and stream admission before proxying. Unknown hosts collapse to a generic not-found response.

Managed connector tokens can be holder-of-key bound to the local device key. Self-hosted key mode uses API-key hashes configured on the edge.

The security docs track implemented protections and residual hardening work in documentation/security.md.