🔒 Security architecture
I run 0meg4kAI in the browser before the request leaves the client and again at the Cloudflare edge before any D1 write executes. Contracts, payments, hiring, public claims, and publishing all hit gates in the brain router, the Worker endpoint, and the security scanner. SkyeMail adds vault-key encryption so inbox content can be stored as ciphertext instead of plain readable email.
I run the browser scanner before the request leaves the client. I run the Worker scanner at the Cloudflare edge before D1 gets touched. Tenant boundary violations, connector abuse, public claim overreach, and approval bypass attempts get blocked before they become records.
These gates exist in three places simultaneously: the brain router, the Worker endpoint, and the 0meg4kAI scanner. There is no configuration option to disable them. Naomi Sterling (Finance) gates payments. Julian Mercer (Legal) gates contracts. Sienna Brooks (HR) gates hiring. Valentina Reyes (Marketing) gates public publishing.
Eight dedicated D1 databases log security scan events, routing decisions, approval outcomes, and quarantine events. The sentinel audit trail D1 database captures every 0meg4kAI decision. This is a queryable record of what the system saw, what it blocked, and what cleared — not a status page that says "all systems normal."
Each SkyeMail workspace generates a public/private vault key pair in the browser. The public key can receive encrypted mail. The private key stays wrapped by the client's vault passphrase, so SkyeMail can route, log, and store messages without needing plaintext access to the message body.
SkyeMail encrypted inbox
Normal email platforms can usually read stored mailbox content because messages land as provider-readable data. SkyeMail changes that model for the application inbox: inbound messages are routed through Resend, matched to the workspace, encrypted to that workspace's public key, and then stored in Neon as encrypted payloads.
SkyeMail can safely keep a public key for each workspace. Resend inbound events use that public key to seal incoming message content before the inbox record is saved.
The private key is wrapped with the client's vault passphrase. The server stores the wrapped key, not the unlocked key. A client unlocks it locally when they need to read encrypted message content.
If recovery is disabled, losing the vault passphrase can mean losing access to encrypted message bodies. If recovery is enabled, a separate admin-recovery copy can be stored encrypted for controlled recovery.
SkyeMail can track delivery, mailbox status, timestamps, provider events, and audit receipts while keeping the actual message body encrypted at rest.
🛡️ What I show publicly
I use the public proof surface to show the architecture: introspection, mirrored events, admin key management, platform monitoring, and the route back to MetrAIyux 0S. I do not publish secrets to prove I have control.
The buyer can inspect the protection story. I keep private implementation setup and admin runbooks out of public reach.
🧱 Security boundary
I want a serious buyer to understand the security posture — scan layers, gate logic, auth platform, D1 audit trail — without receiving the private implementation handoff.
Four structural boundaries
I enforce separation in the architecture, not in a policy note. I use the SaaS provisioning Worker to isolate each customer's D1 data at the binding level. Cloudflare Access controls every /admin/* route. 0meg4kAI scans run at the edge before D1 writes. Hard gates exist in three code locations at the same time.
Each customer's data lives in its own D1 partition. 0meg4kAI verifies at runtime that no customer command can reach owner-scoped brains or another tenant's records. Worker-level enforcement — not an access policy that can be misconfigured.
SkyeGateFS27 handles Bearer token introspection and role/scope validation. A Cloudflare Access policy sits in front of every admin-scoped route. Production connectors, deployment configuration, and private runbooks never appear on public-facing pages.
Marketing brain approval gate blocks any public-facing content that overstates certifications, legal standing, or production integration status. The gate exists in the brain router, the Worker endpoint, and the 0meg4kAI scanner — all three must clear before a public claim executes.
Contracts, payments, hiring decisions, and public publishing all trigger an approval notification to the operator's admin email via Resend. The action is staged but not executed until the operator confirms. The confirmation event logs to the sentinel audit trail D1 database.