Security Architecture

Workjet is designed with security as a foundational principle. The architecture isolates data across three zones, encrypts everything in transit and at rest, and provides multiple layers of protection for credentials, tenant data, and AI interactions.

Three Security Zones

Workjet's architecture is organized into three security zones, each with distinct trust boundaries:

Zone 1: Device (Desktop App)

The Tauri desktop app runs locally on the user's machine. This zone is responsible for:

• Credential storage: API keys and tokens are stored in the OS keychain (macOS Keychain, Windows Credential Manager, Linux Secret Service)
• MCP connector execution: Connector processes run locally with credentials injected as environment variables
• Conversation history: Chat data persists on the local filesystem
• Settings: Stored in localStorage

No credentials leave the device zone. MCP connectors communicate with external services directly from the local machine, using credentials from the OS keychain.

Zone 2: Gateway (Cloudflare Edge)

The AI gateway runs on Cloudflare Workers at the edge, processing every AI request. This zone handles:

• Authentication: Session validation (cookies) and API key verification (SHA-256 hash comparison)
• DLP scanning: Pattern-based detection of sensitive data in requests and responses
• Model routing: Tier-based selection of AI providers with fallback
• Rate limiting: Per-user limits backed by Cloudflare KV
• Audit logging: Immutable records written to Cloudflare R2
• Multi-tenant isolation: Complete data separation between organizations

Zone 3: AI Providers

External AI providers (Anthropic, OpenAI, Google) or self-hosted models (Ollama) process the actual AI inference. The gateway controls what data reaches this zone through DLP scanning and acts as the sole conduit between users and providers.

  Zone 1: Device          Zone 2: Gateway           Zone 3: Providers
  +----------------+     +--------------------+     +---------------+
  | Desktop App    |     | Cloudflare Workers |     | Anthropic     |
  | - OS Keychain  | --> | - Auth             | --> | OpenAI        |
  | - Local FS     |     | - DLP Pipeline     |     | Google        |
  | - MCP Servers  |     | - Model Router     |     | Ollama        |
  | - localStorage |     | - Audit Logger     |     +---------------+
  +----------------+     | - Rate Limiter     |
                         +--------------------+
                                  |
                         +--------+--------+
                         | D1  | KV | R2   |
                         | Auth| Sessions| Audit |
                         +-----+----+-----+
  

Encryption

In Transit

• TLS 1.3: All communication between the desktop app, gateway, and AI providers uses TLS 1.3
• HTTPS only: No unencrypted HTTP connections are accepted
• Certificate pinning: The desktop app validates the gateway's TLS certificate

At Rest

• Cloudflare R2: AES-256 encryption for audit logs and stored artifacts
• Cloudflare D1: AES-256 encryption for authentication and configuration data
• OS Keychain: Platform-native encryption for stored credentials

Credential Management

Workjet handles credentials with a zero-trust approach:

• API keys: SHA-256 hashed before storage. The raw key is shown once at creation and never stored or logged
• Session cookies: HttpOnly, Secure, SameSite=Lax flags prevent XSS and CSRF attacks
• MCP credentials: Stored in the OS keychain on the local device, injected as environment variables at connector startup
• Provider API keys: Encrypted at rest in the gateway's configuration store

Multi-Tenant Isolation

Each Workjet organization (tenant) is fully isolated:

• Data isolation: Each tenant's data (users, skills, automations, audit logs) is stored with tenant-scoped keys and cannot be accessed by other tenants
• Configuration isolation: Gateway routing rules, DLP policies, and rate limits are per-tenant
• API key scoping: API keys are tied to a specific tenant and cannot access other tenants' resources
• Session isolation: Authentication sessions are scoped to the user's tenant

Network Architecture

• No direct provider access: The desktop app never communicates directly with AI providers. All requests go through the gateway.
• Edge processing: The gateway runs on Cloudflare's global edge network, minimizing latency while maintaining the security chokepoint
• No inbound connections: The gateway only accepts outbound connections from authenticated clients. There are no open inbound ports or exposed services

DLP Pipeline

The DLP pipeline provides an additional layer of protection:

• Scans both requests (user to AI) and responses (AI to user)
• Six built-in patterns for credit cards, SSNs, emails, phones, AWS keys, and API secrets
• Custom regex patterns for organization-specific data
• Configurable actions: redact, block, or warn
• All detections recorded in the audit log

Audit Trail

The audit logging system provides an immutable record of every interaction:

• Every AI request and response is logged with user identity, model, tokens, and cost
• DLP detections are recorded with pattern name and action taken
• Admin actions (user management, configuration changes) are logged
• Logs are stored in Cloudflare R2 with AES-256 encryption
• Logs are immutable — they cannot be modified or deleted
• Exportable for external compliance systems

Compliance Readiness

Workjet's security architecture supports compliance with:

Standard	Relevant Controls
SOC 2	Access control, audit logging, encryption, multi-tenant isolation
HIPAA	DLP for PHI, audit trail, encryption at rest and in transit, access controls
GDPR	DLP for PII, data processing records (audit logs), right to access (export)

Next Steps

• Configure DLP policies for your organization
• Review audit logs for compliance
• Set up role-based access control
• Learn about API key management