Hub
Owns identities, policy, encrypted secrets, audit events, repositories, build state, and deployment intent. The hub does not mount the host Docker socket.
Security and trust
This page describes the implemented ReaperCI security model and the assurance work still required before managed GA. It is not a certification claim.
Owns identities, policy, encrypted secrets, audit events, repositories, build state, and deployment intent. The hub does not mount the host Docker socket.
Managed tenants receive isolated rootless BuildKit stacks, volumes, networks, encryption keys, quotas, and backup sets. BYO workers remain customer-owned compute.
The managed connector enrolls once, connects outbound over mTLS, rotates certificates, rejects replay, and exposes only typed, allowlisted operations. Direct SSH remains a self-hosted option.
CLI, MCP, and API actions use scoped service accounts. Production requests remain subject to environment approvals and every action is attributed.
Managed backups stream to a tenant-scoped S3-compatible key, record size and SHA-256, and require explicit server-side encryption. Restore hydrates to a random mode-0600 file and verifies integrity before stopping the tenant hub. Production bucket, KMS, object-lock, and separate-host restore drills remain launch gates.
Required unit, integration, browser, secret-scan, dependency-audit, multi-architecture image, SBOM, image-scan, backup/restore, and BuildKit/registry gates.
Independent security review, production infrastructure review, live provider and disaster-recovery drills, legal review, trademark clearance, and closure of all critical/high findings.
Please follow the coordinated vulnerability disclosure policy and email security@reaperci.dev with impact, affected component, reproduction steps, and a safe contact method. Do not include customer secrets or exploit public systems.