Every safeguard, named.
We treat untrusted execution as the failure mode it is. Below: the architecture, the controls already shipped, and what's on the hardening roadmap. If you spot something missing, tell us.
This page covers InSitue Cloud (production autopilot). The local dev tool has a different threat surface — loopback-only WebSocket, per-session token in .insitue/session.json, edits via the user's own claude CLI on their own Anthropic plan. No data leaves the developer's machine.
Data flow, end to end.
Where data lives at each step, who can touch it, and what's destroyed when. The arrows are labelled with the safeguard at that hop.
Threat × control × status.
One row per failure mode we've thought about. Active controls are shipped today. Roadmap items are hardening on the path to Enterprise.
| Threat / failure mode | Control | Status |
|---|---|---|
| Source exposure in our infra | Repo cloned only inside an ephemeral Vercel Sandbox microVM per run; destroyed at end-of-run. Never persisted in our database. | Active |
| Agent merging unreviewed code | InSitue never auto-merges to your default branch. Every fix opens as a PR (draft on Safe tier, ready-for-review on Standard) — your manual merge is the safeguard against cost blow-outs and agent misbehaviour. | Active |
| Agent privilege escalation | Read-only repo tools: read_file, search, propose_edit. No write, no network, no system calls. | Active |
| Push to default branch | Mechanically prevented. Branches push only to fix/insitue-run_<id>. PRs open as drafts. | Active |
| GitHub org-wide blast radius | Least-privilege: only contents + pull-requests on the repos you explicitly install on. | Active |
| Vercel scope creep | Marketplace Integration grants only Projects: Read + Deployments: Read. No write, no deploys, no env-var access. | Active |
| Capture-key abuse / cost-DoS | Origin-pinned (anti DNS-rebind), quota'd per project, rate-limited, deduplicated. Cost-DoS bounded by design. | Active |
| Secrets in captured reports | Text fields (user note, console output, error messages) are scrubbed at ingest before persistence for known token shapes: Authorization, Bearer, JWT, sk_*, custom patterns. Screenshots and DOM are not OCR-scrubbed — crop or blur sensitive UI in-app before sending. | Active |
| Integration token exfiltration | Tokens stored server-side only, never echoed to the dashboard or captures, accessed only by the run worker. | Active |
| Source persistence in our infra | Customer repo never persists — clone lives only inside the ephemeral microVM. The PR push is the only artifact, and it lands in your GitHub. | Active |
| Wedged or runaway runs | Two kill switches: per-project pause + global stop-the-world. Both flip in <1s. | Active |
| Bad PR ships to production | InSitue opens the PR; a human merges. CI runs on the customer's own infrastructure before review. If something does ship and needs reverting, every PR has a one-click revert + redeploy- previous flow. | Active |
| Threat / failure mode | Control | Status |
|---|---|---|
| Per-org key wrapping (KEK) | HSM-backed envelope encryption of integration tokens. | Roadmap |
| Self-host / dedicated region | Tenant-isolated dedicated region first, then on-prem operator for Enterprise. | Roadmap |
Compliance docs and reports,
on request and on time.
We publish what we can today and add formal audits as they're real. Request the DPA, our sub-processor list, or a vendor security questionnaire by email.
- DPA available today (request signed copy)live
- Sub-processor list publishedlive
- Secret scrubbing on ingest (text fields)live
- Coordinated vulnerability disclosurelive
- Dedicated region (Enterprise)soon
The full legal & trust shelf.
Found something? Email security@insitue.com. Coordinated disclosure. We acknowledge within 5 business days and credit researchers in the changelog (with consent).
Trust isn't a slide. It ships.
Start free, kill-switch armed, draft PRs only. Upgrade safety tiers later.