Built for trust.
Designed for compliance.

Every workspace is a hard boundary

Saltare uses acts_as_tenant to enforce workspace scoping at the ORM layer. Every query is automatically filtered by workspace_id. There is no way to access another workspace's data through normal application paths.

• Database-level check constraints prevent cross-tenant FK references
• Routes nest under /w/:workspace_slug — no workspace, no access
• ActsAsTenant.without_tenant used sparingly, audited at every callsite
• Authorization via PORO policy classes — every action is explicitly authorized

Agents can't reach your internal network

AI research tools (fetch_url, web_search) validate every outbound URL through AI::UrlValidator before making any request. Private IP ranges are unconditionally blocked.

• Blocks RFC 1918 private ranges (10.x, 172.16.x, 192.168.x)
• Blocks loopback (127.x) and link-local (169.254.x) addresses
• Blocks cloud metadata endpoints (169.254.169.254)
• Validates resolved IP after DNS lookup — no DNS rebinding

Secure sessions by default

Authentication is built on has_secure_password (bcrypt). No third-party auth gems. Session cookies are hardened against common web attacks.

• HttpOnly cookies — inaccessible to JavaScript
• SameSite: Lax — CSRF protection for cross-origin requests
• Secure flag set in production — HTTPS only
• 30-day expiry — no permanent session tokens
• Rate limiting on all auth endpoints to block brute force

Agents operate within guardrails

AI agents that interact with user-supplied content are a natural prompt injection surface. Saltare applies multiple layers of protection so agents can't be hijacked by malicious data.

• System prompts include hardened guardrails against indirect injection
• AI::ContentModerator fails closed — uncertain = rejected
• Circuit breaker prevents moderation failures from cascading
• AgentAction deduplication via tool_use_id — idempotent tool execution
• Max 5 tool iterations per agent loop — bounded execution

• TLS 1.2+ enforced
• HTTPS required in production
• Secure cookie flag set

• PostgreSQL — no shared tables
• JSONB for flexible schema fields
• Full-text search via tsvector columns

• Per-controller limits on all create actions
• Auth endpoints limited to block brute force
• Agent memory and destructive actions gated

• Solid Queue — database-backed, no Redis required
• Job deduplication for agent tool calls
• Failed jobs visible in admin panel

• Honeybadger for exception monitoring
• Admin audit log for impersonation events
• P&L and revenue anomaly tracking

• Kamal + Docker for reproducible deploys
• Multi-database separation in production
• Solid Cache and Cable — no external services

Controls audit underway. Target: Q4 2026.

Data deletion and portability endpoints available. DPA on request.

BAA and technical safeguards on the roadmap for enterprise tier.