Security & privacy

BYOK storage

• Store provider secrets at org level in Postgres (OrgSecret.keyEnc).
• Use AES‑GCM via RUNFORGE_MASTER_KEY (32 bytes) helpers in lib/crypto.ts.
• Never store raw secrets in Convex.

Prompt data handling

• We never require storing prompts or outputs. Do not send them to /api/ingest.
• Optional: promptHash can be stored without promptPreview. Previews are truncated to 160 chars.
• Hashing in this template uses SHA‑256 (no key) when prompt is provided to the API; bring your own client‑side salt/pepper. TODO: add keyed hashing support.

Hosting & logs

• EU hosting recommended if handling EU data.
• Avoid logging full payloads in production; redact PII where possible before ingestion.

Redaction

• Optionally preprocess requests to remove emails, credit cards, and identifiers before sending to /api/ingest.

Access control

• Project scoping enforced in queries; API keys tied to project IDs.
• Clerk guards user pages; ingestion relies on shared secret in this template.

Rate limiting & auth

• Ingestion API enforces a sliding‑window rate limit per project (RF_RATE_LIMIT_PER_MINUTE).
• Ingest auth via INGEST_API_KEY with timing‑safe comparison.

TODO: Implement prompt hash‑only toggle wiring and granular API key permissions. (see convex/apiKeys.ts)