Back to hostfuncDocs

Security

Security at hostfunc

hostfunc uses secure-by-default architecture for auth, execution boundaries, and secret handling. This page summarizes controls that are currently in place.

Effective date: April 2026

Security principles

  • Least privilege for machine routes and internal control-plane calls.
  • Secure defaults (authenticated trigger execution paths and token verification).
  • Tenant isolation controls around function execution and org-scoped access.

Current controls

  • Token-authenticated machine APIs for CLI, MCP, and internal service routes.
  • Internal invoke tokens for trusted control-plane to runtime dispatch paths.
  • Outbound worker SSRF controls including private-network target blocking.
  • Secret storage with encrypted values and controlled retrieval at runtime.

Operational security

We run key internal token rotation and secret-management procedures through production runbooks. Logging and execution telemetry are designed for observability while minimizing sensitive value exposure.

Known limitations

  • Token permissions are org-scoped; route/action-level scopes are a planned improvement.
  • Some rotation and cutover workflows are still operationally manual.

Report a vulnerability

Please follow the project disclosure process documented in SECURITY.md.