Noodle Seed
Security & governance

Govern the headless body.

Headless does not mean ungoverned. Noodle Seed centralizes the runtime controls around every deployed app: identity, secrets, policy alpha, asset verification, release proof, tenant isolation, and scalar-safe audit events.

01

Identity and groups

Current foundations include OAuth-protected deployments, owner-only access, and org-member access. Google Workspace group mapping, Entra, Okta, SAML/OIDC, and SCIM are private-preview or later identity lifecycle scope.

02

Tenant isolation

Requests route by server identity and validate against the tenant artifact, connector catalog, policy context, and credential scope. Internal registry and group visibility must preserve that boundary for every customer tenant.

03

Secrets and credentials

Service credentials stay out of specs, chats, logs, widget payloads, and runtime artifacts. They are stored encrypted and brokered to connectors at call time; delegated per-user credential brokering is the required plan for Workday, CRM, and user-scoped systems.

04

Approval lifecycle

App deploys already carry tenant, environment, version, owner, and active deployment state. Tenant rollback can reactivate a stored target without changing the stable MCP endpoint. A full internal connector registry with lifecycle state, risk class, review cadence, and disablement is private-preview enterprise scope.

05

Policy alpha

Policy assignment APIs and the noodle policy CLI can deny, suspend, quota, and rate-limit MCP requests before SDK dispatch. Active policy lookups are cached and invalidated on writes. Group-level governance and broader enterprise policy suites remain scoped work.

06

Audit evidence

The platform emits scalar-safe events for deployment, rollback, policy denials, assets, and operator actions without request bodies, bearer tokens, signed URLs, or local absolute paths. Compliance exports are private-preview scope.

07

Hosted assets

Packaged images are validated, uploaded through a keyless asset edge, re-hashed, re-sniffed, served from assets.noodleseed.dev, and kept separate from MCP/OAuth traffic.

08

Release proof

Production deploys stamp the image with gitSha and buildTime, then fail unless the live service reports the expected commit through /v1/service/info.

09

Private connectivity

The first pilot must choose a supported connectivity model: managed SaaS, customer-dedicated GCP, private GKE/GDC, customer-hosted runner, secure relay, or hybrid. Internal systems should fail closed if the selected path is unavailable.

10

Threat model

Internal connectivity must account for prompt injection, tool poisoning, overbroad tools, data exfiltration, destructive actions, lateral movement, connector SSRF, credential misuse, and audit gaps before pilots expand.