Security
Security is part of the product, not a side document.
ReformCode is designed around code trust, auditability, route protection, sandbox boundaries, billing assurance, and operational evidence. This page summarizes the current security posture and disclosure process.
Security Posture
Authentication and roles
Protected product surfaces use authenticated sessions, admin roles, audit logs, and entitlement checks for sensitive operations.
Runtime boundaries
Workspace runtime contracts include scoped environments, restricted networking, path controls, quotas, artifact capture, and sandbox audit events.
Billing assurance
Stripe webhooks, credits, entitlements, plan gates, and repair actions are reconciled through auditable assurance workflows.
Responsible Disclosure
Send vulnerability reports to security@reformcode.com. Include affected routes or APIs, reproduction steps, impact, and any safe proof of concept details.
Please avoid destructive testing, data exfiltration, service disruption, or accessing accounts and data that are not yours.
Security Controls
- Server-side API keys and billing secrets are not exposed to browser clients.
- Webhook routes verify provider signatures before processing events.
- Admin repair actions are intentionally narrow and designed to leave audit evidence.
- Release gates include type checks, linting, unit tests, evaluation checks, builds, and e2e coverage.
- Security, license, dependency, and policy signals are treated as user-visible product evidence.