Explanation · the company trust boundary

The boundary is the product.

One installation gives a company a private place for small web software—with deliberate escape hatches, never accidental ones.

Private is the default

Company visibility requires identity. Restricted visibility adds application ACLs. Public visibility is explicit registry state and does not inherit private capabilities accidentally.

Content stays separate

Browser code runs on sibling hostnames. Optional backend code runs in a separate Dynamic Worker isolate with no registry, deployment authority, R2 bucket, encryption keys, or global network.

Capabilities are narrow

Database and secret bindings are scoped to one site. Secret values are never returned. Scheduled jobs are leased, quota-bound, retried, and audited by trusted code.

Deployment is atomic

Files remain pending in private R2 until every manifest digest is verified. Visitors never see a partial update.