Security Model

Security model:

• authenticated user context for every request
• validated bearer tokens
• application-level authorization checks
• Supabase RLS as the final database boundary
• no service-role access for normal user MCP calls
• preview-and-apply for risky mutations
• least-privilege scopes and toolsets