This is a public draft for the early Appaloft Cloud website and should be reviewed by counsel before formal commercial launch.
Authentication and sessions
The console uses Better Auth for login and sessions. Production should use secure cookies, trusted origins, HTTPS, and a shared cookie domain.
Credential handling
Deploy tokens, database URLs, SSH keys, and third-party secrets should be injected only as runtime secrets, never committed to repositories or public docs.
Deployment isolation
Appaloft records deploy paths, health checks, and rollback state. Runtime isolation for applications depends on the server and resource configuration you choose.
Audit and observability
Sensitive operations should leave auditable events, logs, and status for diagnostics, rollback, and security investigation.
Reporting issues
If you find a vulnerability, contact [email protected] and give us reasonable time to respond before public disclosure.