Eventplane is designed for multi-tenant, zero-trust environments. Every component assumes the publisher or subscriber might be untrusted; auditability and replayability are therefore first-class requirements.

• Tenant ID is mandatory on all events (enforced in EventFactory).
• Controllers never resolve identity or authorization; they operate only on already-authorized events.
• Authorization happens at the edge (CLI, Gateway, or other intent publishers) and must stamp caused_by metadata.
• No component is allowed to mutate state without emitting an auditable event.

• Events are immutable once persisted to PostgreSQL (eventplane/store/event_store.py).
• Causation and correlation IDs provide full lifecycle tracing; never strip or overwrite them.
• Status/finalizer mutations happen exclusively through eventplane/event/mutate.py so audit trails remain complete.
• Replay is the default recovery path—design projections/workers to tolerate duplicated delivery.

• NATS subjects follow eventplane.<kind>.<stream>; apply subject-level ACLs so tenants cannot subscribe outside their scope.
• Publishing intent does not imply permission to publish fact/internal events. Separate credentials for each tier.
• CLI helpers (evtctl) must never embed secrets—configuration belongs in environment variables or secret stores.

• Do not place secrets in event payloads or specs. Use opaque references (vault IDs, token IDs) if needed.
• Specs should capture only the minimum data required for the controller to make a deterministic decision.
• Redact caused_by metadata if it includes user-identifying data before sharing logs externally.

• Event Store access must be append-only for application roles. Reads for projections should be read-only connections.
• sb_utils/Supabase integrations must respect tenant filters (tenant_id column enforced via RLS).
• Run all Eventplane services with least-privilege credentials; no service should own both NATS admin and database superuser roles.

• Replay from the Event Store is the primary recovery mechanism; ensure regular backups of the append-only log.
• Projections can be dropped and rebuilt deterministically—document the commands/scripts that perform that replay.
• When an incident is detected, capture the relevant correlation IDs for forensic review and re-ingest only the affected streams.

Please email teams@dotlabs.dev with a detailed report (steps to reproduce, impact, and suggested mitigation). Do not open public issues for sensitive findings.

Eventplane security assumes compromise is inevitable; auditability is mandatory.