Security model
Genie is secure by default: authorization is enforced by the server on every operation, and the client is never trusted. This page is the map; each layer has its own page.
The layers
Section titled “The layers”- Authentication — short-lived RS256 JWT + refresh tokens, cookie auth, MFA/TOTP and sessions. See Identity.
- RBAC — per-resource permission verbs (List, View, Create, Update, Delete, Export, Import, Execute), re-validated on every request. See RBAC & permissions.
- The disclosure gate — metadata (structure) is ungated beyond auth; record values and mutations require the matching verb. See The disclosure gate.
- Parameter sanitisation — an allowlist strips caller-supplied parameters that the view didn’t declare, guarding mass-assignment and cross-tenant injection. See Parameter sanitisation.
- Field & column security — per-field/column role and expression rules, enforced server-side on submit. See Field & column security.
- Multi-tenancy — company scoping is enforced in SQL, not just filtered in the UI. See Multi-tenant company scoping.
The trust rule
Section titled “The trust rule”Related hardening
Section titled “Related hardening”- Password encryption — user passwords are AES-encrypted at the database layer, with per-dialect cipher keys. See Password encryption.
- Assistant SQL isolation — the AI assistant runs generated SQL through a restricted, row-level-security-scoped login so a prompt can never cross tenant boundaries. See Tenant isolation & SQL hardening.
- Transport & uploads — CSP/HSTS headers, authenticated export downloads (no guessable static paths), and configurable upload size caps.