Security

You should never have to guess why access failed.

Scope, role, verification, and attribution — surfaced with the same clarity as your repository state. Every denial is explicit. Every grant is auditable.

Get started Open the product overview

Denial flow

Scope first. Then role, verified at the exact resource.

Token scope is checked ahead of role resolution. Every request resolves against the grants at the target resource.

Role denials name the exact path — the namespace or repo where the grant needs to live — so the fix location is never ambiguous.

Attribution inspection

Every state names its actor.

Each task-thread state carries principal, provider, model, and confidence as first-class fields — and, when the repo is configured to sign, an Ed25519 attestation on top. Naming is universal; cryptographic verification is opt-in for the chains that need it.

All of it sourced from env vars or explicit flags. Never parsed from a commit message. Never inferred from a Git email.

Grant diagnostic

Every denial names the principal, the target, and the role required.

Today: denials surface the subject, the exact resource path, and the role required at that scope. No opaque 403s, no hunting through logs to find which namespace needs a grant.

Next: held-role comparison and structured fix suggestions in the denial payload — so tools can remediate without a human parsing the error. Clearly labeled on the diagnostic below.

Token attenuation

Mint sub-agent tokens yourself. Authority only narrows.

Heddle's session token is a Biscuit capability — a chain of cryptographic blocks. The server signs the authority block once at login. Every narrowing after that is a block you append locally, with no round-trip.

Spinning up a sub-agent for a four-hour PR review, an overnight build, a one-shot scratch session — append a block that says this child can only do X for the next Y hours and hand the bytes over. The verifier runs every block's checks on every request, so a child can never widen what it inherited. Attribution isn't a string parsed from a commit message; it's the keypair signature on the chain that minted the state.

Redaction

When a secret slips in, scrub the bytes. Keep the receipt.

Heddle is content-addressed and immutable on purpose — but a leaked credential needs to come out. Redaction is the first-class primitive that reconciles both: an attributed, signed operation that declares a blob removed, swaps a stub into every materialized view, and leaves a tombstone any auditor can verify.

Two phases. heddle redact writes the tombstone — the state still resolves, but readers see the redaction notice in place of the secret. heddle purge, owner-only, removes the underlying bytes from local + canonical stores and appends a non-reversible oplog entry. The tombstone stays. The audit trail of the removal stays.

Authorization model

Access clarity is not a feature — it's the baseline.

Scope or role. Token or grant. The answer is always legible — by construction.

Get started