Security
Package Ninja security model and operational safeguards.
Control Model
Package Ninja enforces policy before install/publish execution. Workspace policy is organization-scoped and resolved server-side to prevent tenant boundary bypass through client-side mutation.
Authentication and Session Security
Device login uses browser-mediated approval. Access tokens are short-lived, refresh tokens are rotated, and replay defenses are enforced in control-plane refresh handling.
Billing Integrity Controls
Checkout flows use intent records and webhook reconciliation checks (org/plan/seat consistency) before applying billing state changes. Pending checkout state is not treated as active entitlement.
Incident Reporting
For responsible disclosure: security@packageninja.online. Please include reproduction steps, expected behavior, and observed impact.