Security & Governance
Agiflow protects the project board through layered access checks, scoped assistant connections, encrypted vault storage, signed artifact access, and plan limits at API ingress.
01 — Access Layers
User authentication
Better Auth resolves the signed-in user and session before protected workspace or API behavior runs.
Organization membership
Organization access checks confirm the user belongs to the workspace before organization data is returned.
Project access
Project-scoped routes run project access middleware. Owners and admins bypass project team checks; regular members are checked against project membership.
Admin route guards
Billing, team, invitation, connection, and related settings screens require an owner or admin role.
02 — Workspace Roles
Owner
Full workspace control, including billing, settings, membership, and project access.
Admin
Administrative workspace control without being the owner. Admin-only settings routes allow this role.
Member
Standard project-board collaboration. Project access can be narrowed by team/project membership.
Assistant connections are not a separate workspace role. They inherit the authorization and resource scope granted during setup.
03 — Keys And Scoped Connections
API keys
Programmatic requests validate a hashed key, expiry, enabled state, user identity, and organization scope before continuing.
Assistant authorization
Interactive connections use authorization and consent. The selected organization, project, work unit, or task becomes the resource bound to the session.
Scoped endpoints
Organization, project, work-unit, and task endpoints expose different tool sets. Narrower endpoints reduce what the connected assistant can read or update.
04 — Storage Boundaries
Auth data
Cloudflare D1 stores authentication and organization identity data.
Project data
Durable Object SQLite stores projects, work units, tasks, comments, workflow state, and artifact metadata.
Artifact blobs
Cloudflare R2 stores uploaded file content. Upload and download operations use signed URLs.
Vault values
Vault entries are stored per environment, encrypted at rest with a per-entry IV, and masked in list/get responses.
05 — Quota Enforcement
Resource creation is checked by pricing middleware before the request reaches the domain handler. The middleware resolves the active plan, reads live counts from the organization Durable Object, and returns HTTP 402 when a project, API key, member, or assistant connection limit is reached. The web app converts those responses into upgrade prompts.