Security
Tenant boundaries belong on the server.
Botops scopes reads and writes by agency and client, refreshes authorization state during sessions, and keeps private provider credentials out of public configuration.
Launch controls
Tenant isolation
Agency and client relationships are verified again at mutation and API boundaries.
Credential separation
Management keys are encrypted at rest; optional browser keys are stored separately.
Lifecycle enforcement
Inactive users lose session access, and temporary passwords require a change.
Demo safety
The public demo uses dedicated accounts and a demo tenant. Writes, provider calls, ingest, uploads, webhooks, and audit events are blocked server-side; the browser only simulates local feedback.