Security Overview

This release replaces client-trusted authorization with backend-issued role and organization context, server-owned workflow functions, and stricter Firestore access rules.

Controls included in v3 foundation

• Callable backend operations for privileged workflow mutations
• Protected Firestore collections with read-only client access
• Hosting security headers and CSP
• Audit event generation for server-side operations

Recommended next controls

• Dedicated staging and production projects
• CI/CD approval gates and automated tests
• Monitoring, alerting, and incident response runbooks
• Admin-led role approval workflow and SSO

Report security concerns to security@kruholdings.com.